Subject: Re: broadcast ping response
To: John Nemeth <firstname.lastname@example.org>
From: Manuel Bouyer <email@example.com>
Date: 01/23/2005 14:05:25
On Sat, Jan 22, 2005 at 04:42:29PM -0800, John Nemeth wrote:
> On Jun 14, 1:00pm, Eric Haszlakiewicz wrote:
> } On Sat, Jan 22, 2005 at 03:57:21PM -0800, John Nemeth wrote:
> } > Why is NetBSD 2.0 responding to broadcast ICMP ECHO REQUEST (ping)
> } > packets? Is there any way to stop it. Because this is a well known
> } > DOS most modern OSes don't respond, so I'm surprised that current
> } > versions of NetBSD do.
> } DoS? How so? I would think that responding to a ping takes
> } considerably less resources than, say, responding to a connection attempt.
> It is a traffic amplification attack. Picture a network with 50+
> machines, which respond to broadcast packets. You send one ping packet
> to the broadcast address and get 50 back. A great way to flood a
> network with very little effort. Send a continuous stream of packets
> and even if you don't have a very high speed network, due to the
> amplification effect you can completely saturate a remote network thus
> making it useless. An even better trick is to fake the source address
> (since ICMP is a connectionless protocol this is easy) and you can get
> some sucker to flood the crap out of a third party. Tracing packets
> with faked source addresses is not easy.
The appropriate way to deal with this is to block traffic to broadcast
addresses on routers (so the attack can only come from the LAN, and it's
easy to track down). Replies to ICMP echo requests for broadcast addresses
are very usefull for various reasons, so please keep this feature.
Manuel Bouyer <firstname.lastname@example.org>
NetBSD: 26 ans d'experience feront toujours la difference