Date: Wed, 27 May 1998 21:11:39 -0700 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> Cc: Bart Smit <bit@signature.nl>, "J.A. Terranson" <sysadmin@mfn.org>, "'FreeBSD Security'" <freebsd-security@FreeBSD.ORG> Subject: Re: SMURF in 2.2.5 Message-ID: <199805280411.VAA07122@cwsys.cwsent.com> In-Reply-To: Your message of "Wed, 27 May 1998 09:22:50 PDT." <199805271623.JAA05578@passer.osg.gov.bc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > On Wed, 27 May 1998, J.A. Terranson wrote: > > > > > I will not report this to bugtraq untill you guys tell me there's > > > a patch... > > > > Well, sysctl -w net.inet.icmp.bmcastecho=0 does not help, contrary to > > what you'd expect from the advisory... > > What about ipfw? For example, where 123.123.123.0 is your network > address, > > ipfw add deny icmp from 123.123.123.0 to any > ipfw add deny icmp from 123.123.123.255 to any It looks like I've been a little dyslexic in my previos post. This should have been, ipfw add deny icmp from any to 123.123.123.255 To circumvent the fraggle (UDP) attack, ipfw add deny udp from any to 123.123.123.255 This has the added benefit of denying not only broadcast icmp (and udp) packets that are destined in but also broadcast icmp (and udp) packets destined out as well. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805280411.VAA07122>