Bug 17550

Summary: default 2.2.14 kernel responds to ICMP broadcasts -- smurf attack amplifier
Product: [Retired] Red Hat Linux Reporter: jose nazario <jose>
Component: kernelAssignee: Arjan van de Ven <arjanv>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-01-18 17:22:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jose nazario 2000-09-15 20:15:23 UTC 
this one is really simple. the default value of the kernel variable to inore ICMP echo broadcasts is set to , meaning it will respond to 
ICMP_ECHO_REQUEST broadcasts. this means that a default RH6.2 installation can be used as smurf attack amplifier. this is not good. a 
descriptin of the smurf attack is really quite simple: forge an ICMP_ECHO_REQUEST from a host and send it to a broadcast address, and the 
responses will overwhelm it, pushing it off the network. this is described in a CERT note: http://www.cert.org/advisories/CA-98.01.smurf.html .

bad. sysctl this variable by defualt to 1 to ignore the broadcasts. 

(yes, other kernel stuff like this is coming soon).
Comment 1 jose nazario 2000-09-15 20:19:25 UTC 
whoops, some typos:

the default value of the kernel variable to ignore ICMP echo broadcasts is set to 0, meaning it will respond to 
 ICMP_ECHO_REQUEST broadcasts. this value is stored in:

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Comment 2 Pekka Savola 2000-09-15 22:56:38 UTC 
Having the kernel respond to broadcast pings can be useful in debugging, among other things. 

Broadcast pings should be filtered out in routers/firewalls.
Comment 3 Michael K. Johnson 2002-01-18 21:12:43 UTC 
Agreed, this is not a bug, this is a characteristic of TCP/IP that should
be dealt with when designing your firewall.