Subject: Re: broadcast ping response
To: Kentaro A. Kurahone <kurahone@sigusr1.org>
From: David Maxwell <david@crlf.net>
List: tech-net
Date: 01/23/2005 16:26:57
On Sun, 23 Jan 2005, Kentaro A. Kurahone wrote:
> On Sat, Jan 22, 2005 at 09:50:55PM -0500, Allen Briggs wrote:
> [snip]
> > What else?
> > 
> > Kurahone-san's patch seems pretty trivial, but I'm not sure how
> > real the need is...
> 
> FWIW, CERT recomends disabling responding to broadcast ICMP packets when
> dealing with smurf attacks, and it looks like a lot of the other unixes 
> provide a simple tunable, or disable response by default.
> 
> http://www.cert.org/advisories/CA-1998-01.html

Personally, I'd prefer a smarter change. That is, don't respond to
broadcast ICMP packets, if the source IP (to which you'll respond) is
not on a local network.

This gives the same effect as recommendation #1, but on a host by host
basis.

So, you can still use local broadcasts for the reasons people have
already noted in this thread, but in combination with making change #1
to your router(s), you get a defense-in-depth, at the host level.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Unless you have a solution
when you tell them things like that, most people collapse into a gibbering, 
unthinking mass.  This is the same reason why you probably don't tell your 
boss about everything you read on BugTraq!    - Signal 11