icmp_echo_ignore_broadcast

[- s l e i g h t e r - <sleighter () southbreak com>]

I think it would be better if you ignore everything :)

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

and I think the standard configuration from /etc/sysctl.conf is secure
enough.
-------------------------------------------------------------------------
# Disables packet forwarding
net.ipv4.ip_forward = 0
# Enables source route verification
net.ipv4.conf.all.rp_filter = 1
# Disables automatic defragmentation (needed for masquerading, LVS)
net.ipv4.ip_always_defrag = 1
# Disables the magic-sysrq key
kernel.sysrq = 0
-------------------------------------------------------------------------

you can get sample for "blockping.tar.gz" just extract and move them
to /usr/bin/
http://godwrath.hypermart.net/pub/misc/blockping.tar.gz

I found this "simple" script working well in LINUX, notify me if you
find this script working at BSD or something else.


regards,

sleighter.

-------------------------------------------------------------------------
B R A I N W A R E                                sleighter () southbreak com
http://www.brainware.sh                             - s l e i g h t e r -
Wednesday, January 24, 2001
-------------------------------------------------------------------------


-------------------------------------------------------------------------
This is a forwarded message
From: Duane Dunston <ddunston () CAPEFEAR CC NC US>
To: VULN-DEV () SECURITYFOCUS COM
Date: Tuesday, January 23, 2001, 8:08:58 PM
Subject:

I was curious to know if someone could reproduce this problem as Borderware
hasn't gotten back to me since the end of November 2000 regarding this issue.
I pinged the broadcast again, doing regular test on January 22nd 2001,
and the same thing occured.

####
The Problem
####

OS/application:
Borderware firewall server v. 6.1.2
Unsure if it affects lower versions of the Borderware Firewall Server.

Exploit:
Sending a ping to the broadcast on the network causes Borderware's ping
server to continously send echo request to the entire network. It is
possible that a Denial-of-Service attack (smurf attack) can be executed on
the network using freely available exloit code. This can occur externally
if broadcast packets aren't dropped at the router or on the local network
if other machines aren't configured to deny directed broadcasts.
This will not affect networks behind the Borderware Firewall but it will
affect machines on the same network as the Borderware's public interface.

Reproducing the exploit:
ping xxx.xxx.xxx.255 or ping xxx.xxx.xxx.0/24 (the -f switch will perform
a ping flood, see the ping man page for more info)
There are freely available smurf attack exploits available on the internet
as well (run a search for "smurf attack" at packetstorm.securify.com)

Fixes:
Borderware doesn't give users access to the console to restart the ping
server so you have to call them to restart it remotely.
For machines on the network that are responding to the broadcasts running
Linux, you can add "1" to the /proc/sys/net/ipv4/icmp_echo_ignore_broadcast
s file:
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
or add it to your /etc/sysctl.conf file (recommended):
net.ipv4.icmp_echo_ignore_broadcasts = 1
then run:
# sysctl -w (to update the change)
On a cisco router this line will prevent replies to a directed broadcast:
deny ip any 0.0.0.255 255.255.255.0 (Taken from http://www.sans.org/infosec
FAQ/firewall/perimeter_filter.htm)
Related info on Smurf Attacks:
http://www.cert.org/advisories/CA-1998-01.html

--------------------------------------------------------------------------