FreeBSD Security Advisory: FreeBSD-SA-98:06.icmp
FreeBSD Security Officer
security-officer at FreeBSD.ORG
Wed Jun 10 11:35:09 PDT 1998
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-98:06 Security Advisory
FreeBSD, Inc.
Topic: smurf attack
Category: core
Module: kernel
Announced: 1998-06-10
Affects: FreeBSD 2.2.*, FreeBSD-stable and FreeBSD-current
before 1998/05/26 suffer from this problem.
Corrected: FreeBSD-current as of 1998/05/26
FreeBSD-stable as of 1998/05/26
FreeBSD only: yes
Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:06/
=============================================================================
IMPORTANT MESSAGE: The FreeBSD security officer now uses the policy
ftp://ftp.freebsd.org/pub/FreeBSD/POLICY.asc for sending out
advisories.
=============================================================================
I. Background
As can be read in CERT advisory CA-98.01.smurf, there exists
a denial of service attack called "smurfing". This attack sends
ICMP echo requests to the broadcast address of a network. This
results in the source address of the ICMP packets being flooded
with ICMP echo replies. Of course, the source address is
spoofed.
II. Problem Description
A solution at the intermediate network being abused to generate
the ICMP echo replies is to either block ICMP echo requests
directed to a broadcast address or to configure the hosts on
that network not to respond to such an ICMP request. In the
CERT advisory, the following was reported:
In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond
to ICMP echo requests destined for broadcast and multicast
addresses by default. This behavior can be changed via the
sysctl command via mib net.inet.icmp.bmcastecho.
Unfortunately, an error was made with the implementation of
this functionality and, despite the text in the CERT
advisory, the net.inet.icmp.bmcastecho sysctl variable default
is to respond to ICMP packets sent to the networks broadcast
address. You should explicitly run the command
sysctl -w net.inet.icmp.bmcastecho=0
to disable this.
III. Impact
Your network can suffer performance degradation when a
large amount of spoofed ICMP is sent to your broadcast address.
IV. Workaround
Block ICMP echo requests to broadcast addresses in your kernel
using ipfw(8). See CERT advisory CA-98.01.smurf for more
workarounds.
V. Solution
Apply the following patch:
Patch for 3.0-current, 2.2-stable, 2.2.5 and 2.2.6 systems:
Index: ip_icmp.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- ip_icmp.c 1997/08/25 16:29:27 1.29
+++ ip_icmp.c 1998/05/26 11:34:30 1.30
@@ -375,8 +375,7 @@
case ICMP_ECHO:
if (!icmpbmcastecho
- && (m->m_flags & (M_MCAST | M_BCAST)) != 0
- && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
+ && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
icmpstat.icps_bmcastecho++;
break;
}
@@ -385,8 +384,7 @@
case ICMP_TSTAMP:
if (!icmpbmcastecho
- && (m->m_flags & (M_MCAST | M_BCAST)) != 0
- && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
+ && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
icmpstat.icps_bmcasttstamp++;
break;
}
=============================================================================
FreeBSD, Inc.
Web Site: http://www.freebsd.org/
Confidential contacts: security-officer at freebsd.org
Security notifications: security-notifications at freebsd.org
Security public discussion: freebsd-security at freebsd.org
PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=============================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBNX7QUlUuHi5z0oilAQEBMQP6Avlv1dEMtH7thC510f17to9UNcDAobz4
83Fd5qVfwjBy5G0AxSLOLYb4/9ZI137aNtsLRcvx3J4CRGPBCpA7UXptID/QuTHO
6Z0sqix21OAigcrdX0Aegx2JBvY+NLgBSK4NrWbpp5sAjjW1i4OS/wzGQmhXFDjU
JGoIZMmYKXU=
=VFXs
-----END PGP SIGNATURE-----
This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at http://www.freebsd.org
To Unsubscribe: send mail to majordomo at FreeBSD.org
with "unsubscribe freebsd-announce" in the body of the message
More information about the freebsd-announce
mailing list