1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-98:06 Security Advisory
FreeBSD, Inc.
Topic: smurf attack
Category: core
Module: kernel
Announced: 1998-06-10
Affects: FreeBSD 2.2.*, FreeBSD-stable and FreeBSD-current
before 1998/05/26 suffer from this problem.
Corrected: FreeBSD-current as of 1998/05/26
FreeBSD-stable as of 1998/05/26
FreeBSD only: yes
Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:06/
=============================================================================
IMPORTANT MESSAGE: The FreeBSD security officer now uses the policy
ftp://ftp.freebsd.org/pub/FreeBSD/POLICY.asc for sending out
advisories.
=============================================================================
I. Background
As can be read in CERT advisory CA-98.01.smurf, there exists
a denial of service attack called "smurfing". This attack sends
ICMP echo requests to the broadcast address of a network. This
results in the source address of the ICMP packets being flooded
with ICMP echo replies. Of course, the source address is
spoofed.
II. Problem Description
A solution at the intermediate network being abused to generate
the ICMP echo replies is to either block ICMP echo requests
directed to a broadcast address or to configure the hosts on
that network not to respond to such an ICMP request. In the
CERT advisory, the following was reported:
In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond
to ICMP echo requests destined for broadcast and multicast
addresses by default. This behavior can be changed via the
sysctl command via mib net.inet.icmp.bmcastecho.
Unfortunately, an error was made with the implementation of
this functionality and, despite the text in the CERT
advisory, the net.inet.icmp.bmcastecho sysctl variable default
is to respond to ICMP packets sent to the networks broadcast
address. You should explicitly run the command
sysctl -w net.inet.icmp.bmcastecho=0
to disable this.
III. Impact
Your network can suffer performance degradation when a
large amount of spoofed ICMP is sent to your broadcast address.
IV. Workaround
Block ICMP echo requests to broadcast addresses in your kernel
using ipfw(8). See CERT advisory CA-98.01.smurf for more
workarounds.
V. Solution
Apply the following patch:
Patch for 3.0-current, 2.2-stable, 2.2.5 and 2.2.6 systems:
Index: ip_icmp.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- ip_icmp.c 1997/08/25 16:29:27 1.29
+++ ip_icmp.c 1998/05/26 11:34:30 1.30
@@ -375,8 +375,7 @@
case ICMP_ECHO:
if (!icmpbmcastecho
- && (m->m_flags & (M_MCAST | M_BCAST)) != 0
- && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
+ && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
icmpstat.icps_bmcastecho++;
break;
}
@@ -385,8 +384,7 @@
case ICMP_TSTAMP:
if (!icmpbmcastecho
- && (m->m_flags & (M_MCAST | M_BCAST)) != 0
- && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
+ && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
icmpstat.icps_bmcasttstamp++;
break;
}
=============================================================================
FreeBSD, Inc.
Web Site: http://www.freebsd.org/
Confidential contacts: security-officer@freebsd.org
Security notifications: security-notifications@freebsd.org
Security public discussion: freebsd-security@freebsd.org
PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=============================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBNX7QUlUuHi5z0oilAQEBMQP6Avlv1dEMtH7thC510f17to9UNcDAobz4
83Fd5qVfwjBy5G0AxSLOLYb4/9ZI137aNtsLRcvx3J4CRGPBCpA7UXptID/QuTHO
6Z0sqix21OAigcrdX0Aegx2JBvY+NLgBSK4NrWbpp5sAjjW1i4OS/wzGQmhXFDjU
JGoIZMmYKXU=
=VFXs
-----END PGP SIGNATURE-----
|