Bugtraq mailing list archives

[(PM) PM3s Die - Comfirmed DoS Attack (fwd)]

From: dav () NNX COM (David TILLOY)
Date: Wed, 13 Jan 1999 10:13:55 +0100


        This is a message from Livingston PM3 users mailing-list. It seems there
is a problem with PM3, and Lucent work on this bug. At this time, the
solution is give a the end of this message...

Best Regards,
        David.

----- Forwarded message from Romain GUESDON <guesdon () nnx com> -----

---------- Forwarded message ----------
Date: Tue, 12 Jan 1999 14:50:35 -0700 (MST)
From: Doug Ingraham <dpi () rapidnet com>
To: Robert Blayzor <robert () superior net>
Cc: portmaster-users () livingston com
Subject: Re: (PM) PM3s Die - Comfirmed DoS Attack

On Tue, 12 Jan 1999, Robert Blayzor wrote:

Yes, it's confirmed.  PM3's are susceptible to a heavy DoS attack.
Anyone with access to a decent (T1 or possibly less) Internet connection
can completely hose your ethernet segment on which your PM3(s) live.

For security reasons I will not post how to reproduce the problem here.
But if you monitor your PM3's and your network closely, you'll know
when this happens.  Suddenly, your PM3 segment will go from about 50k
to over 6M+ (or more)...

The problem has been reported to Lucent and they said they will be
working on it.  I just want to let everyone be aware that if you start
seeing this problem on your network, you'll know why.

I will hint to you that it has to do with the PM3 advertising routes
on your network, but when packets arrive at the PM3, the PM3 stupidly
forwards the packets back to the gateway, causing a packet loop on
your network until the TTL expires.

-Enjoy, this one is a fun one.


This was discussed a long time ago.  I ran into it on one of my PM-2's
before the PM3 even existed.  The solution is an ofilter on the ethernet.

If your pm's ethernet address is 192.168.0.10 and If your assigned IP's
are 192.168.2.16 with a poolsize of 48 as an example your filter needs to
look like:

add fil e.out
set fil e.out 1 permit 192.168.2.32/27
set fil e.out 2 permit 192.168.2.16/28
set fil e.out 3 permit 192.168.0.10/32
set fil e.out 4 deny log

If you have routes assigned by radius you will need to also include those
permits.

This solves the problem because it allows the box to only source routes
that it is supposed to be able to source.  If you do this on all boxes and
on your borders nobody will be able to spoof those IP addresses and inject
them into your network and so they won't bounce between your PM and your
router like they do now a couple of hundred times before the ttl expires.

Doug Ingraham     You can judge the quality of your life by how often
Rapid City, SD      you notice the enjoyment of the little things.
USA
----- End forwarded message -----

--
David TILLOY  .  Neuronnexion (nnx)
19/21, rue des Augustins . 80000 Amiens . FRANCE
Tel (+33 3).22.71.61.90 . Fax (+33 3).22.71.61.99
Mailto:David.TILLOY () neuronnexion fr

Current thread:

Keeping any up-to-date?, (continued)
- - - Keeping any up-to-date? Randolf-Heiko Skerka (Jan 13)
    - Re: Keeping any up-to-date? Ciaran Deignan (Jan 15)
    - Re: Keeping any up-to-date? Peter May (Jan 15)
  - Administrivia Aleph One (Jan 12)
    - Tracing by uid u after root does setuid(u) D. J. Bernstein (Jan 12)
    - Re: Tracing by uid u after root does setuid(u) Wietse Venema (Jan 13)
    - Re: Tracing by uid u after root does setuid(u) Casper Dik (Jan 13)
    - Re: Tracing by uid u after root does setuid(u) James Mathiesen (Jan 15)
    - Re: Tracing by uid u after root does setuid(u) Gene Spafford (Jan 13)
    - Solaris 7 naming... Isaac (Jan 12)
    - [(PM) PM3s Die - Comfirmed DoS Attack (fwd)] David TILLOY (Jan 13)
    - Government report suggests backdoors for law enforcement Darren Reed (Jan 13)
  - Cyberspace Underwriters Laboratories Aleph One (Jan 12)