Re: smurf amp nets

[ken emery <ken () cnet com>]

On Sat, 13 Jun 1998, Karl Denninger wrote:

> On Sat, Jun 13, 1998 at 10:14:11AM +0200, Mikael Abrahamsson wrote:
> > On Sat, 13 Jun 1998, Jared Mauch wrote:
> >
> > >   One other thing, it would be interesting if someone started
> > > a smurf at a smurf amp.  (I'm tired, but believe that can be
> > > done, but not going to think too much about it.  The loop
> > > would be interesting, and require some fun intervention to fix).
> >
> > I think this is the way of the future when smurf amps get fixed. People
> > will put these kind of things on hacked machines, sending spoofed floods
> > to broadcast adresses locally. Since everybody seems to be going to
> > switched nets this can create substantial amount of data.
> >
> > I think the only way to solve this more permanently is to remove the
> > response of ICMP data to broadcast adresses in the OS. Is anyone
> > preassuring for this to happen? Is there a list of OS that actually does
> > respond to ICMP to broadcast adresses?
>
> Recent FreeBSD versions have an option to disable response to a broadcast
> ICMP.

Solaris also has this ability.  You need to use /usr/sbin/ndd utility to 
turn this off.  The RFC's say that responding to directed broadcast should 
be on (this has been hashed out here before) so the *nix vendors leave it 
enabled in the default config.  On Solaris 2.5.1 the following should 
turn off response to directed broadcasts:

ndd -set /dev/ip ip_forward_directed_broadcasts            0

There are also settings for other types of ICMP broadcast packets.  The response 
to these types of packets may be turned off with the following:

ndd -set /dev/ip ip_respond_to_address_mask_broadcast      0
ndd -set /dev/ip ip_respond_to_echo_broadcast              0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast         0

Things could possibly be different on versions of Solaris other than 2.5.1 
and different patch levels can effect these things also.  So be careful 
when you are doing this.

bye,
ken emery