From owner-freebsd-security Tue Jun 22 11:49:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.thegrid.net (smtp.thegrid.net [209.162.1.11]) by hub.freebsd.org (Postfix) with SMTP id 8CF84153CF for ; Tue, 22 Jun 1999 11:49:35 -0700 (PDT) (envelope-from dean@thegrid.net) Received: (qmail 5606 invoked from network); 22 Jun 1999 18:49:34 -0000 Received: from pop.thegrid.net (209.162.1.5) by smtp.thegrid.net with SMTP; 22 Jun 1999 18:49:34 -0000 Received: from zippy (lax-ts6-h1-54-123.ispmodems.net [209.162.54.123]) by pop.thegrid.net (8.9.1a/8.9.1) with SMTP id LAA05922 for ; Tue, 22 Jun 1999 11:49:31 -0700 (PDT) Message-Id: <4.1.19990622113736.009637d0@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 22 Jun 1999 11:40:58 -0700 To: security@FreeBSD.ORG From: Dean Subject: Re: Question: Preventing Smurf In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:39 AM 6/22/99 -0600, you wrote: >On Tue, 22 Jun 1999, Pete Fritchman wrote: > >> so let me get this straight... >> >> if your gateway is ping'able you *CAN* be a smurf relay? > > I'm not sure. I would image that would depend on several > variables...such as what type of smurf program they are using, > or if they are just flood pinging your broadcast address. WHat > your 'gateway' is and how it handles ICMP firewalling/filtering. > > Ping packets shouldn't be hitting your broadcast or your BSD box. > There are other ICMP types but none (that I can think of) should > be broadcasting to your whole network. If there is... then I > retract my previous statement and apologize, but I can't think of > any. > > I've seen whole networks dropped to the their 'knees' because of > machines answering ping packets on the broadcast. You should also > block this on your border routers and WAN interfaces. But this > ipfw rule helps if someone is attacking on your internal network. > This ideal thing to do would be to filter broadcast pings out at your boarder routers/gateways. This will prevent you from having to configure ALL the machines on your network and save you a lot of time. Heck, I'd filter out all echo requests coming in to my network. My 2cents, Dean > >> >> --------------------------------------------- >> Pete Fritchman petef@netreach.net >> Netreach www.netreach.net >> System Administrator >> >> On Tue, 22 Jun 1999, Nick Rogness wrote: >> >> > On Tue, 22 Jun 1999, N.N.M wrote: >> > >> > > Thanks for your reply. That is the point: I disable >net.inet.icmp.bmcastecho >> > > (=0) on a freebsd box with the IP, i.e. x.x.11.18. But when I use >broadcast >> > > ping (ping x.x.11.255) on another pc (i.e. x.x.11.17) on the same >Ethernet, >> > > the first machine which is not supposed to reply to the ping, will >reply! So >> > > I thought I might need another thing to disable that or maybe using >> > > broadcast ping on the same Ethernet isn't a good way to test it or >...... >> > > Any idea? >> > >> > >> > # Deny icmp packets from hitting broadcast >> > ipfw add 3000 deny log icmp from any to x.x.11.255/32 in via de0 >> > >> > >> > > >> > > Nazila M. >> > > >> > > >> > > >From: mwlucas@exceptionet.com >> > > >To: madrapour@hotmail.com (N.N.M) >> > > >CC: freebsd-security@FreeBSD.ORG >> > > >Subject: Re: Question: Preventing Smurf >> > > >Date: Tue, 22 Jun 1999 07:06:52 -0400 (EDT) >> > > >MIME-Version: 1.0 >> > > >From mwlucas@easeway.com Tue Jun 22 11:18:15 1999 >> > > >Received: (from mwlucas@localhost)by easeway.com (8.8.8/8.8.5) id >> > > >HAA02940;Tue, 22 Jun 1999 07:06:56 -0400 (EDT) >> > > >Message-Id: <199906221106.HAA02940@easeway.com> >> > > >In-Reply-To: <19990622073945.98174.qmail@hotmail.com> from "N.N.M" at >"Jun >> > > >22, 99 00:39:43 am" >> > > >X-Mailer: ELM [version 2.4ME+ PL32 (25)] >> > > > >> > > >To test if it works, ping your subnet's broadcast address (i.e., >> > > >a.b.c.255). If you're not sure of the broadcast, an ifconfig -a will >give >> > > >it to you. >> > > > >> > > >The machine won't respond to a broadcast ping. > This will prevent you from >> > > >being a smurf relay. >> > > > >> > > >A more effective method would be to block broadcast pings at the >router to >> > > >your network. Check your router's documentation or mfg. web site for >> > > >exact instructions. >> > > > >> > > >Regards, >> > > >==ml >> > > > >> > > > >> > > > > >> > > > > Hi, >> > > > > >> > > > > Is it enough to do "sysctl -w net.inet.icmp.bmcastecho=0" to prevent >> > > >being >> > > > > Smurf Intermediary? And if so, how can I check it to get sure if >it is >> > > >ok? >> > > > > I did the above change, but my freebsd box still responses to ping >(from >> > > >a >> > > > > pc on the same Ehternet) to broadcast address. Is it normal? >> > > > > >> > > > > thanks, >> > > > > Nazila M. >> > > > > >> > > > > >> > > > > ______________________________________________________ >> > > > > Get Your Private, Free Email at http://www.hotmail.com >> > > > > >> > > > > >> > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > > > > with "unsubscribe freebsd-security" in the body of the message >> > > > > >> > > > >> > > > >> > > >-- >> > > >Michael Lucas | >> > > >Exceptionet, Inc. | www.exceptionet.com >> > > >"Exceptional Networking" | >> > > > >> > > >> > > >> > > ______________________________________________________ >> > > Get Your Private, Free Email at http://www.hotmail.com >> > > >> > > >> > > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > > with "unsubscribe freebsd-security" in the body of the message >> > > >> > >> > ******************************************************************* >> > Nick Rogness "Never settle with words what >> > System Administrator can be accomplished with a >> > RapidNet, INC flame-thrower" >> > nick@rapidnet.com >> > ******************************************************************* >> > >> > >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> > >> > >******************************************************************* >Nick Rogness "Never settle with words what >System Administrator can be accomplished with a >RapidNet, INC flame-thrower" >nick@rapidnet.com >******************************************************************* > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message ------------------------------------------------------------------------------- A train stops at a train station, a bus stops at a bus staion. On my desk, I have a workstation.... ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message