Re: Removing or changing the ping interval restriction for non-root users

From: Lee Brown <leeb_at_ratnaling.org>
Date: Sun, 24 Mar 2024 18:20:36 UTC
net/fping will allow sub-second intervals:

$ ping -i .1 10.1.1.1
ping: -i interval too short: Operation not permitted

$ fping --interval=1 --vcount=20 --period=50 10.1.1.1
20 lines of result

Better than changing base IMHO (POLA)

On Sun, Mar 24, 2024 at 8:04 AM Tom Forbes <tom@tomforb.es> wrote:

> I've personally never come across this limitation on any system that I've
> used, however it is a good point that there are bound to be systems that
> have the same limitation. After digging a bit more into the history the
> limitation was added in this commit[1] in 1998 with the explicit intention
> to "secure options from user-level D.O.S attacks".
>
> A lot of things have changed since 1998, and setting an arbitrary high
> limit to prevent "ping" and "ping6" from being used to DOS networked
> devices would be a pretty suspect decision if it was suggested today. I
> expect a few other distributions have inherited this limit from the
> original contribution, but to me that doesn't lend a strong argument to
> keeping it if the underlying reason it exists doesn't make sense anymore
> _and_ if removing/reducing it is a backwards-compatible, simple and
> non-invasive change.
>
> Tom
>
>    1.
>    https://github.com/freebsd/freebsd-src/commit/526f06b278d9252add168aa18b60242c08771165
>
>
> On Sun, 24 Mar 2024, at 2:48 PM, Cy Schubert wrote:
>
> On March 24, 2024 5:57:01 AM PDT, Tom Forbes <tom@tomforb.es> wrote:
> >Hello,
> >I maintain a small project called gping[1] that recently added support
> for FreeBSD. One of the issues I ran into with running this on FreeBSD was
> that the `ping` command seems to disallow intervals of less than 1 second
> if you are not running as root[2]. This check was last touched 23 years ago
> and I'm curious as to why this restriction exists? I assume it's from an
> earlier time in the internets history, and perhaps is related to potential
> misuse of the command to flood targets with packets via ping?
> >
> >If it is then I'd like to suggest that this limitation be removed or is
> reduced to `0.1` seconds instead? Using `ping` for this kind of thing isn't
> a viable attack today, and the 1 second limitation seems like it would get
> in the way of useful uses of the ping command.
> >
> >Also this is my first post to any *BSD mailing list, so please let me
> know if this is not the right place to ask this question or propose this!
> >
> >Thanks,
> >Tom
> >
> >1. https://github.com/orf/gping
> >2.
> https://github.com/freebsd/freebsd-src/blame/8a56ef8d75b42ee7228247466c8c1712de6e3b6f/sbin/ping/ping6.c#L441
> Other UNIX-like systems have the same restriction. At $JOB we use Solaris
> and various Linux systems. All maintain the same restriction. Other BSDs
> are the same.I don't think FreeBSD should be an outlier.
>
> Maybe  setgid bit or a capability to remove the restriction may be a
> better solution. But to reduce the timeout to essentially remove it is IMO
> unwise.
>
> --
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX:  <cy@FreeBSD.org>  Web:  https://FreeBSD.org
> NTP:                     <cy@nwtime.org>    Web:  https://nwtime.org
>                                                     e^(i*pi)+1=0
>
> Pardon the typos. Small keyboard in use.
>
>
>