Subject: bin/2455: (security) Echo & friends can be spoofed into looping traffic
To: None <gnats-bugs@NetBSD.ORG, misc@openbsd.org>
From: None <david@mono.org>
List: netbsd-bugs
Date: 05/22/1996 11:08:13
>Number:         2455
>Category:       bin
>Synopsis:       (security) Echo & friends can be spoofed into looping traffic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 22 06:20:04 1996
>Last-Modified:
>Originator:     David Brownlee
>Organization:
Monochrome (http://www.mono.org)
>Release:        1.1B
>Environment:
	
System: NetBSD orwell.southern.net 1.1B NetBSD 1.1B (_SUN4C_) #0: Tue Apr 2 08:44:20 PST 1996 david@orwell.southern.net:/usr/src/sys/arch/sparc/compile/_SUN4C_ sparc


>Description:
	
	Another quote from Christopher Klaus <cklaus@iss.net> via BoS.

[start of text from Christopher Klaus <cklaus@iss.net>]
Chargen, Echo - These two services on many machines can be spoofed into sending
data from one service on one machine to another service on another machine
causing an infinite loop that causes high bandwidth so that the network
becomes unusable.
[end of text from Christopher Klaus <cklaus@iss.net>]

>How-To-Repeat:
	Fake a udp packet to port 7 on your victim from 'localhost port 7',
	and watch the machine continually loop sending the packet round and
	round.
	For more entertainment (& network traffic) fake it from 'hostA port 7'
	to 'hostB port 7' and watch them merrily bounce it back & forth.
	How fast can you say 'Denial of Service' :)

>Fix:
	Inetd needs to check the source ports of incoming packets & reject
	certain portnumbers - the list in 'biltins[]' looks like a good
	start - echo, time, daytime, & chargen (discard is pretty safe,
	but could be included if easier to code :)

	Also the kernel should drop packets incoming on an interface for
	which they make no sense - eg: an interface '194.72.62.104' with
	netmask 0xffffff00 should only accept packets from '194.72.62.*'.

>Audit-Trail:
>Unformatted: