"broadcast ping" message
oberman at es.net
Wed Apr 16 13:12:14 PDT 2003
> Date: Wed, 16 Apr 2003 14:08:19 -0500
> From: Larry Rosenman <ler at lerctr.org>
> Sender: owner-freebsd-mobile at freebsd.org
> --On Wednesday, April 16, 2003 12:05:41 -0700 Jamie Bowden
> <ragnar at sysabend.org> wrote:
> > On Wed, 16 Apr 2003, John Polstra wrote:
> >> Oh, drop it! Security fixes don't wait on standards. You've got a
> >> knob to make it do what you want -- so use it. Please stop the
> >> whining or at least remove me from the cc list.
> > Since when is DOS a security issue? My issue is default behaviour
> > violating both POLA and RFC. You've got a knob to turn it off if it bugs
> > you.
> For clueless newbies that cause an ISP to be blacklisted, it sure as HECK
> **IS** a security
You are not arguing the issue at hand and many people are not
sufficiently involved with Internet routing to realize that this is not
To put it simply, if you have a router that FORWARDS broadcast pings,
you will very quickly become blue smurf toast. This is not an option or
matter of discretion and Cisco was massively abused for the old default.
No other router vendor forwards broadcast pings by default, either.
But the issue was not that of forwarding broadcast pings. The issue is a
system responding to a broadcast ping. Almost all systems do and all
should (IMHO). This is NOT a security issue. It's not even a denial of
service issue unless you have a very large broadcast domain and
potentially hostile, non-routed access to it.
I have never seen any proposal to change the "normal" behavior of
responding to broadcast pings as a proposed standard or BCP. Of course,
if a FreeBSD box is used as a router, it should not forward directed
broadcasts. (But that does not mean that it should not respond to them.)
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
More information about the freebsd-mobile