Vulnerability Development mailing list archives
Re: "Re: ping flooding as normal user" and strange icmp behavior with Linux 2.4
From: Slawek <sgp () TELSATGP COM PL>
Date: Sun, 20 Aug 2000 10:36:24 +0200
Friday, August 18, 2000 12:00 AM +0200, Weston Pawlowski wrote:
Although 60000 will work, 65470 will not. There is an upper limit, it is just a bit high. My LRP box (kernel 2.0.36) won't reply to anything above 52350, however my server (kernel 2.4.0-test4) will reply to anything. In any case, you can reduce the effectiveness of a ping flood by setting your box to simply not reply to icmp echo-requests. A ping flood can still clog your bandwidth, but at least you wont be replying to all those pings and clogging your upstream bandwidth as well.
Well, in fact eating somebody's incoming bandwidth is enough most of the time .. and disabling ping replying is not very good idea at all. I'm disabling it temporary when I got "too many" pings. In fact at least in my example the system didn't reply to any of the ping just becouse it didn't received *any* of the pings "from the start to the end" (at least one of the fragments got lost from each of them)
<snip> Something strange that I noticed while experimenting with ping is that setting a size of 65465 to 65468 and pinging one of my Linux 2.4.0-test4 boxes causes it to dump a lot of hex: [weston@bug weston]$ ping -s 65468 192.168.22.1 | more PING 192.168.22.1 (192.168.22.1): 65468 data bytes 65476 bytes from 192.168.22.1: icmp_seq=0 ttl=255 time=14.7 ms wrong data byte #65464 should be 0xb9 but was 0xb8 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 <then a lot more hex> Does anyone know what is going on there? I don't think it's a security problem, as it doesn't seem to have any effect on either the sender or the recepient (both are using Linux 2.4.0-test4).
Well, whis is *really* bad, this can be some overflow on large packets handling or something like that .. And different systems allow different maximum ping packet size .. well .. this is not limitation of "ping" command but rather something in the kernel .. I wonder what would happen if somebody pings some system with packet larger it could "ping reply" In fact I can see some DoS programs in the wild based on this problem .. This is an explample: http://newdata.box.sk/neworder/harmless/GTMHH2-3.TXT NOTE: I *DIDN'T* CHECK THIS OUT, sorry if it's not working ;o) .. well, in fact I hope it's not working Bye, Slawek
Current thread:
- ping flooding as normal user Slawek (Aug 14)
- Re: ping flooding as normal user Bluefish (Aug 14)
- Re: ping flooding as normal user Pavel Kankovsky (Aug 15)
- Re: ping flooding as normal user Daniel Petzen (Aug 15)
- Re: ping flooding as normal user Glen Rosenblatt (Aug 14)
- Re: ping flooding as normal user Slawek (Aug 14)
- Re: ping flooding as normal user Cam (Aug 15)
- Re: ping flooding as normal user Slawek (Aug 14)
- "Re: ping flooding as normal user" and strange icmp behavior with Linux 2.4 Weston Pawlowski (Aug 17)
- Re: "Re: ping flooding as normal user" and strange icmp behavior withLinux 2.4 Sebastian Pape (Aug 18)
- Re: "Re: ping flooding as normal user" and strange icmp behavior with Linux 2.4 Slawek (Aug 20)
- Re: ping flooding as normal user Bluefish (Aug 14)