Bug 17550 - default 2.2.14 kernel responds to ICMP broadcasts -- smurf attack amplifier
default 2.2.14 kernel responds to ICMP broadcasts -- smurf attack amplifier
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-09-15 16:15 EDT by jose nazario
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-01-18 12:22:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jose nazario 2000-09-15 16:15:23 EDT
this one is really simple. the default value of the kernel variable to inore ICMP echo broadcasts is set to , meaning it will respond to 
ICMP_ECHO_REQUEST broadcasts. this means that a default RH6.2 installation can be used as smurf attack amplifier. this is not good. a 
descriptin of the smurf attack is really quite simple: forge an ICMP_ECHO_REQUEST from a host and send it to a broadcast address, and the 
responses will overwhelm it, pushing it off the network. this is described in a CERT note: http://www.cert.org/advisories/CA-98.01.smurf.html .

bad. sysctl this variable by defualt to 1 to ignore the broadcasts. 

(yes, other kernel stuff like this is coming soon).
Comment 1 jose nazario 2000-09-15 16:19:25 EDT
whoops, some typos:

the default value of the kernel variable to ignore ICMP echo broadcasts is set to 0, meaning it will respond to 
 ICMP_ECHO_REQUEST broadcasts. this value is stored in:

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Comment 2 Pekka Savola 2000-09-15 18:56:38 EDT
Having the kernel respond to broadcast pings can be useful in debugging, among other things. 

Broadcast pings should be filtered out in routers/firewalls.


Comment 3 Michael K. Johnson 2002-01-18 16:12:43 EST
Agreed, this is not a bug, this is a characteristic of TCP/IP that should
be dealt with when designing your firewall.

Note You need to log in before you can comment on or make changes to this bug.