From owner-freebsd-security Tue Jun 22 10:39:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id E8ECF156AE for ; Tue, 22 Jun 1999 10:39:31 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id LAA91748; Tue, 22 Jun 1999 11:39:11 -0600 (MDT) Date: Tue, 22 Jun 1999 11:39:11 -0600 (MDT) From: Nick Rogness To: Pete Fritchman Cc: security@freebsd.org Subject: Re: Question: Preventing Smurf In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 22 Jun 1999, Pete Fritchman wrote: > so let me get this straight... > > if your gateway is ping'able you *CAN* be a smurf relay? I'm not sure. I would image that would depend on several variables...such as what type of smurf program they are using, or if they are just flood pinging your broadcast address. WHat your 'gateway' is and how it handles ICMP firewalling/filtering. Ping packets shouldn't be hitting your broadcast or your BSD box. There are other ICMP types but none (that I can think of) should be broadcasting to your whole network. If there is... then I retract my previous statement and apologize, but I can't think of any. I've seen whole networks dropped to the their 'knees' because of machines answering ping packets on the broadcast. You should also block this on your border routers and WAN interfaces. But this ipfw rule helps if someone is attacking on your internal network. > > --------------------------------------------- > Pete Fritchman petef@netreach.net > Netreach www.netreach.net > System Administrator > > On Tue, 22 Jun 1999, Nick Rogness wrote: > > > On Tue, 22 Jun 1999, N.N.M wrote: > > > > > Thanks for your reply. That is the point: I disable net.inet.icmp.bmcastecho > > > (=0) on a freebsd box with the IP, i.e. x.x.11.18. But when I use broadcast > > > ping (ping x.x.11.255) on another pc (i.e. x.x.11.17) on the same Ethernet, > > > the first machine which is not supposed to reply to the ping, will reply! So > > > I thought I might need another thing to disable that or maybe using > > > broadcast ping on the same Ethernet isn't a good way to test it or ...... > > > Any idea? > > > > > > # Deny icmp packets from hitting broadcast > > ipfw add 3000 deny log icmp from any to x.x.11.255/32 in via de0 > > > > > > > > > > Nazila M. > > > > > > > > > >From: mwlucas@exceptionet.com > > > >To: madrapour@hotmail.com (N.N.M) > > > >CC: freebsd-security@FreeBSD.ORG > > > >Subject: Re: Question: Preventing Smurf > > > >Date: Tue, 22 Jun 1999 07:06:52 -0400 (EDT) > > > >MIME-Version: 1.0 > > > >From mwlucas@easeway.com Tue Jun 22 11:18:15 1999 > > > >Received: (from mwlucas@localhost)by easeway.com (8.8.8/8.8.5) id > > > >HAA02940;Tue, 22 Jun 1999 07:06:56 -0400 (EDT) > > > >Message-Id: <199906221106.HAA02940@easeway.com> > > > >In-Reply-To: <19990622073945.98174.qmail@hotmail.com> from "N.N.M" at "Jun > > > >22, 99 00:39:43 am" > > > >X-Mailer: ELM [version 2.4ME+ PL32 (25)] > > > > > > > >To test if it works, ping your subnet's broadcast address (i.e., > > > >a.b.c.255). If you're not sure of the broadcast, an ifconfig -a will give > > > >it to you. > > > > > > > >The machine won't respond to a broadcast ping. This will prevent you from > > > >being a smurf relay. > > > > > > > >A more effective method would be to block broadcast pings at the router to > > > >your network. Check your router's documentation or mfg. web site for > > > >exact instructions. > > > > > > > >Regards, > > > >==ml > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > Is it enough to do "sysctl -w net.inet.icmp.bmcastecho=0" to prevent > > > >being > > > > > Smurf Intermediary? And if so, how can I check it to get sure if it is > > > >ok? > > > > > I did the above change, but my freebsd box still responses to ping (from > > > >a > > > > > pc on the same Ehternet) to broadcast address. Is it normal? > > > > > > > > > > thanks, > > > > > Nazila M. > > > > > > > > > > > > > > > ______________________________________________________ > > > > > Get Your Private, Free Email at http://www.hotmail.com > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > > >-- > > > >Michael Lucas | > > > >Exceptionet, Inc. | www.exceptionet.com > > > >"Exceptional Networking" | > > > > > > > > > > > > > ______________________________________________________ > > > Get Your Private, Free Email at http://www.hotmail.com > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > ******************************************************************* > > Nick Rogness "Never settle with words what > > System Administrator can be accomplished with a > > RapidNet, INC flame-thrower" > > nick@rapidnet.com > > ******************************************************************* > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > ******************************************************************* Nick Rogness "Never settle with words what System Administrator can be accomplished with a RapidNet, INC flame-thrower" nick@rapidnet.com ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message