Subject: Re: broadcast ping response
To: John Nemeth <jnemeth@victoria.tc.ca>
From: Allen Briggs <briggs@netbsd.org>
List: tech-net
Date: 01/22/2005 20:04:32
On Sat, Jan 22, 2005 at 04:42:29PM -0800, John Nemeth wrote:
> It is a traffic amplification attack. Picture a network with 50+
> machines, which respond to broadcast packets. You send one ping packet
> to the broadcast address and get 50 back.
Sure. I hadn't heard that OSes were turning off response to
broadcast pings, though. I find broadcast pings useful diagnostic
tools on my network.
When I was running a border router, I made sure that the router
didn't forward any broadcast traffic in or out of the network. I
thought that was pretty standard. Is it not?
Can't you configure ipf or ipfilter to dump these on the floor?
That said, I wouldn't have a problem with having a tunable knob to
easily disable responses to broadcast pings (I think it should
default to traditional behavior). I don't think anyone's proposed
it or shown any code, though.
-allen
--
Use NetBSD! http://www.netbsd.org/