RE: icmp: echo reply? Am I being attacked?

To: 'Michael Stone' <mstone@debian.org>, Nuno Faria <nfaria@fe.up.pt>
Cc: debian-security@lists.debian.org
Subject: RE: icmp: echo reply? Am I being attacked?
From: John Vivian <John.Vivian@Exxecom.com>
Date: Thu, 27 Jul 2000 10:41:46 -0400
Message-id: <[🔎] 2BCF99BE14F6D311983A00902744B4CC0D3373@mail.exxecom.com>

	Just a small correction: the broadcast address is
	(typically) .255, but a bit of experimentation has
	shown that pings to .0 and .255 result in the same
	response.  You would be best to block both.

	Also, assuming that you used the command "tcpdump icmp",
	you should see the echo request being sent to the broadcast
	address.  Of course, as stated previously, the source of
	the echo request can easily be forged.

	Lastly, it seems as though Windows machines don't reply to
	pings to broadcast addresses; *nix machines, however, will.
	This is the likely explaination as to why all the *nix boxes
	were exhibiting this behaviour.

	As Michael Stone stated, broadcast traffic (at least ICMP)
	should be filtered at the router.  Also disabling broadcast
	ICMP on the Linux boxes is a good idea regardless of the
	filtering on the router.

	Hope this helps somewhat.

----------------------------------------------
John Vivian
Exxecom
Network Security Analyst
----------------------------------------------





-----Original Message-----
From: Michael Stone [mailto:mstone@debian.org]
Sent: Thursday, July 27, 2000 9:46 AM
To: Nuno Faria
Cc: debian-security@lists.debian.org
Subject: Re: icmp: echo reply? Am I being attacked?


On Thu, Jul 27, 2000 at 01:15:13PM +0100, Nuno Faria wrote:
> Ranko Veselinovic <rvjunior@gmx.net> sent me privatly the followin
> e-mail which I think might be relevant for the issue in question:
> _______________________
> I'm not sure but I think when you send an ICMP ECHO-Request to a
> broadcast
> address that the whole network will answer whit echo-replys. 
> I think this is a kind of smurf-attack and the address where the replys
> where sent is the target of the attacker. You were just abuse for this
> attack.

Yes, you've been used as a smurf amplifier. The best course of action is
to not route broadcast addresses. (I.e., packets going to .0 are blocked
at the router.) Another approach is to 
	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
on the linux machines. (Try putting it in a startup script.) That will
keep them from replying to broadcast echos.

-- 
Mike Stone


--  
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: icmp: echo reply? Am I being attacked?
  - From: Nathan Valentine <nrvale0@uky.edu>

Prev by Date: Re: icmp: echo reply? Am I being attacked?
Next by Date: Re: icmp: echo reply? Am I being attacked?
Previous by thread: Correction to Re: icmp: echo reply? Am I being attacked?
Next by thread: Re: icmp: echo reply? Am I being attacked?
Index(es):
- Date
- Thread