Subject: Re: broadcast ping response
To: Eric Haszlakiewicz <firstname.lastname@example.org>
From: John Nemeth <email@example.com>
Date: 01/22/2005 16:42:29
On Jun 14, 1:00pm, Eric Haszlakiewicz wrote:
} On Sat, Jan 22, 2005 at 03:57:21PM -0800, John Nemeth wrote:
} > Why is NetBSD 2.0 responding to broadcast ICMP ECHO REQUEST (ping)
} > packets? Is there any way to stop it. Because this is a well known
} > DOS most modern OSes don't respond, so I'm surprised that current
} > versions of NetBSD do.
} DoS? How so? I would think that responding to a ping takes
} considerably less resources than, say, responding to a connection attempt.
It is a traffic amplification attack. Picture a network with 50+
machines, which respond to broadcast packets. You send one ping packet
to the broadcast address and get 50 back. A great way to flood a
network with very little effort. Send a continuous stream of packets
and even if you don't have a very high speed network, due to the
amplification effect you can completely saturate a remote network thus
making it useless. An even better trick is to fake the source address
(since ICMP is a connectionless protocol this is easy) and you can get
some sucker to flood the crap out of a third party. Tracing packets
with faked source addresses is not easy.
}-- End of excerpt from Eric Haszlakiewicz