Bugtraq mailing list archives
ICMP ECHO_REQUESTS to BROADCAST addresses
From: mikedoug () TEXAS NET (Michael Douglass)
Date: Sat, 19 Jul 1997 18:19:04 -0500
Here is some information that co-workers and I have gathered from recent experiences with a pretty hair DoS attack; this is serious as it can take a pretty large size network off of the net. -----Forwarded message from Edward Henigin <ed () texas net>----- Date: Sat, 19 Jul 1997 13:01:43 -0500 From: Edward Henigin <ed () texas net> We're seeing a pernicious sort of DOS attack lately. The attack takes advantage of hosts IP stack implementation, and how it deals with ICMP packets to the broadcast address. Basically, the short and sweet of it is that most hosts will respond to an echo-request to its broadcast address with an echo reply. So imagine this scenario: some disgruntled hax0r forges his source address to be your web server (or shell server, or irc server, or whatever) and sends some broadcast pings to a well populated remote network. His/her ping will be amplified by the number of hosts on the remote network. Here is an example to illustrate: In one window, I did this: (ed) spanky:~$ ping 205.236.175.255 205.236.175.255 is alive (ed) spanky:~$ In another, this: (root) spanky:~# snoop -d isptp0 proto icmp Using device /dev/isptp (promiscuous mode) spanky -> 205.236.175.255 ICMP Echo request toolbox.total.net -> spanky ICMP Echo reply falcon.total.net -> spanky ICMP Echo reply annex-08.mtl.total.net -> spanky ICMP Echo reply 199.166.230.99 -> spanky ICMP Echo reply gig.net -> spanky ICMP Echo reply 205.236.53.122 -> spanky ICMP Echo reply middletown.total.net -> spanky ICMP Echo reply 205.236.53.199 -> spanky ICMP Echo reply server95.total.net -> spanky ICMP Echo reply 205.236.175.20 -> spanky ICMP Echo reply freddy.total.net -> spanky ICMP Echo reply 205.205.162.10 -> spanky ICMP Echo reply tors.accent.net -> spanky ICMP Echo reply lightning.total.net -> spanky ICMP Echo reply c4700-01.mtl.total.net -> spanky ICMP Echo reply as5200-35.mtl.total.net -> spanky ICMP Echo reply newsfeeder.total.net -> spanky ICMP Echo reply annex-03.mtl.total.net -> spanky ICMP Echo reply annex-02.mtl.total.net -> spanky ICMP Echo reply as5200-31.mtl.total.net -> spanky ICMP Echo reply as5200-30.mtl.total.net -> spanky ICMP Echo reply phoenix.total.net -> spanky ICMP Echo reply bretweir.total.net -> spanky ICMP Echo reply 205.236.175.10 -> spanky ICMP Echo reply wacky.total.net -> spanky ICMP Echo reply 205.236.87.200 -> spanky ICMP Echo reply annex-01.mtl.total.net -> spanky ICMP Echo reply annex-10.mtl.total.net -> spanky ICMP Echo reply as5200-06.mtl.total.net -> spanky ICMP Echo reply as5200-33.mtl.total.net -> spanky ICMP Echo reply as5200-13.mtl.total.net -> spanky ICMP Echo reply as5200-34.mtl.total.net -> spanky ICMP Echo reply annex-09.mtl.total.net -> spanky ICMP Echo reply as5200-28.mtl.total.net -> spanky ICMP Echo reply annex-06.mtl.total.net -> spanky ICMP Echo reply as5200-08.mtl.total.net -> spanky ICMP Echo reply as5200-22.mtl.total.net -> spanky ICMP Echo reply as5200-36.mtl.total.net -> spanky ICMP Echo reply as5200-03.mtl.total.net -> spanky ICMP Echo reply cradlerock.total.net -> spanky ICMP Echo reply as5200-26.mtl.total.net -> spanky ICMP Echo reply as5200-37.mtl.total.net -> spanky ICMP Echo reply c4700-02.mtl.total.net -> spanky ICMP Echo reply www.greernet.com -> spanky ICMP Echo reply 199.166.230.69 -> spanky ICMP Echo reply ns2.accent.net -> spanky ICMP Echo reply rizzo.infobahnos.com -> spanky ICMP Echo reply www.webquebec.com -> spanky ICMP Echo reply annex-07.mtl.total.net -> spanky ICMP Echo reply as5200-12.mtl.total.net -> spanky ICMP Echo reply as5200-32.mtl.total.net -> spanky ICMP Echo reply as5200-19.mtl.total.net -> spanky ICMP Echo reply as5200-02.mtl.total.net -> spanky ICMP Echo reply as5200-29.mtl.total.net -> spanky ICMP Echo reply as5200-11.mtl.total.net -> spanky ICMP Echo reply as5200-20.mtl.total.net -> spanky ICMP Echo reply as5200-10.mtl.total.net -> spanky ICMP Echo reply as5200-21.mtl.total.net -> spanky ICMP Echo reply as5200-16.mtl.total.net -> spanky ICMP Echo reply as5200-15.mtl.total.net -> spanky ICMP Echo reply as5200-05.mtl.total.net -> spanky ICMP Echo reply as5200-01.mtl.total.net -> spanky ICMP Echo reply irc.total.net -> spanky ICMP Echo reply as5200-25.mtl.total.net -> spanky ICMP Echo reply as5200-04.mtl.total.net -> spanky ICMP Echo reply squid.total.net -> spanky ICMP Echo reply 205.236.175.12 -> spanky ICMP Echo reply as5200-14.mtl.total.net -> spanky ICMP Echo reply pico.total.net -> spanky ICMP Echo reply c4700-03.mtl.total.net -> spanky ICMP Echo reply nic2.total.net -> spanky ICMP Echo reply under.total.net -> spanky ICMP Echo reply annex-04.mtl.total.net -> spanky ICMP Echo reply 198.168.57.42 -> spanky ICMP Echo reply as5200-09.mtl.total.net -> spanky ICMP Echo reply as5200-24.mtl.total.net -> spanky ICMP Echo reply as5200-27.mtl.total.net -> spanky ICMP Echo reply as5200-23.mtl.total.net -> spanky ICMP Echo reply as5200-17.mtl.total.net -> spanky ICMP Echo reply as5200-18.mtl.total.net -> spanky ICMP Echo reply as5200-07.mtl.total.net -> spanky ICMP Echo reply (I've already been in contact with Total Access Inc, and they have put filters on their networks to prevent this from happening again.) In the above example, you see that a single echo request resulted in 81 echo replies, an 81x amplification of Internet traffic. A 28.8Kbps Internet connection becomes 2332.8Kbps, about a T1 and a half, worth of bandwidth, when amplified 81 times. You well know that this much traffic is more than enough to peg a small ISP. If one of these fiends either a) enlists the help of a few friends, all on 28.8 connections, or b) does this sort of thing from an open box on a higher speed university connection, well, they can take down even larger ISP's. What you need to do is put filters on your routers to prevent broadcast packets from entering your network. I believe that some networks, like Total Access Inc's, are among a list of "known" networks that can be used as part of a "portfolio" if you will, of networks that can be used to attack other networks. Everyone needs to be doing the following: 1) Keep measured traffic stats, and look at them, using something like MRTG. 2) Filter all broadcast traffic from coming into your network. I believe that it's QUITE rare to have an application that is both *routed* and uses the broadcast address. This is made harder when you VLSM, but I belive the majority of networks are provisioned on an 8 bit boundary, so you can filter 90% of the traffic by filtering to the .255 address. 3) Re-iterating what people have said before, filter outbound traffic to allow only *your* host traffic from getting out. This makes you a responsible Internet citizen, and makes it harder for people to launch attacks like this one. Thank you for your time. Edward Henigin Engineering Director, Texas Networking, Inc. ed () texas net (512) 427-1655 Alternate POC's for Texas.Net: Michael Douglass Senior Administrator mikedoug () texas net Bill Bradford Senior Administrator mrbill () texas net Jonah Yokubaitis President barron () texas net -----End of forwarded message----- -- Michael Douglass Texas Networking, Inc. <de> 'hail sparc, full of rammage' <de> 'the kernel is with thee' <de> 'blessed art thou amongst processors'
Current thread:
- ICMP ECHO_REQUESTS to BROADCAST addresses Michael Douglass (Jul 19)