Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Borderware v6.1.2 ping DoS vulnerability

From: Duane Dunston <ddunston () CAPEFEAR CC NC US>
Date: Fri, 26 Jan 2001 09:22:23 -0500
Borderware has confirmed this problem.  They  upgraded the problem below to a bug and informed me that the pings can be 
stopped on-site by resetting the interfaces, which can be done from the Borderware client.  Provided the exploit 
doesn't attempt to re-establish a connection when the network interface comes back up, this is a temporary fix.

####
The Problem
####

OS/application:
Borderware firewall server v. 6.1.2

Unsure if it affects lower versions of the Borderware Firewall Server.

Exploit:
Sending a ping to the broadcast on the network causes Borderware's ping server to continously send echo request to the 
entire network. It is possible that a Denial-of-Service attack (smurf attack) can be executed on the network using 
freely available exloit code. This can occur externally if broadcast packets aren't dropped at the router or on the 
local network if other machines aren't configured to deny directed broadcasts.

This will not affect networks behind the Borderware Firewall but it will affect machines on the same network as the 
Borderware's public interface.

Reproducing the exploit:

ping xxx.xxx.xxx.255 or nmap -sP xxx.xxx.xxx.0/24 (the -f switch with ping will perform a ping flood, see the ping man 
page for more info)

There are freely available smurf attack exploits available on the internet as well (run a search for "smurf attack" at 
packetstorm.securify.com)

Fixes:
Reset the interfaces via the borderware client.  Provided the malicious code doesn't attempt to re-establish a 
connection when the network interface comes back up, this is a temporary fix.

For machines on the network that are responding to the broadcasts running Linux, you can add "1" to the       
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts file:

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

or add it to your /etc/sysctl.conf file (recommended):

net.ipv4.icmp_echo_ignore_broadcasts = 1

then run:

# sysctl -w (to update the change)

On a cisco router this line will prevent replies to a directed broadcast:

deny ip any 0.0.0.255 255.255.255.0 (Taken from http://www.sans.org/infosecFAQ/firewall/perimeter_filter.htm)

Related info on Smurf Attacks:
        http://www.cert.org/advisories/CA-1998-01.html

Duane Dunston 
Unix Technical Specialist 
Cape Fear Community College 
(910) 251-5839  
 
"When three men are walking together, there is one who can be my teacher. I pick out people's good and follow it. When 
I see their bad points, I correct them in myself."  

--Confucius
Previous By Date Next
Previous By Thread Next

Current thread: