Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: `smurf' multi-broadcast icmp attack

From: therapy () GUARDIAN HTU TUWIEN AC AT (Therapy?)
Date: Thu, 16 Oct 1997 14:22:35 +0100

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

---2105513641-1199168586-877008155=:1808
Content-Type: TEXT/PLAIN; charset=US-ASCII

My host has been abused for flooding with the "smurf-exploit", posted to
bugtraq, so I patched my kernel to do not reply to ICMP_ECHO addressed to
an IP address which doesnt belong to the host (broadcasted pkt).

I recommand to install icmplog included in the iplogger packet, available
at
ftp://ftp.tu-graz.ac.at/pub/linux/redhat-contrib/SRPMS/iplogger-0.1-1.src.rpm
to find out if you're abused by smurf to flood..
It produces a lot of syslog entries for every ICMP_ECHO request received,
like...
Oct 16 13:59:53 leto icmplog: ping from clifton.netgates.co.uk
Oct 16 13:59:56 leto icmplog: ping from darkfires.abac.com
Oct 16 13:59:57 leto icmplog: ping from clifton.netgates.co.uk
Oct 16 13:59:59 leto icmplog: ping from darkfires.abac.com
...

simple patch for linux-2.0.30 attached

-therapy


---2105513641-1199168586-877008155=:1808
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=hmm13
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.971016142235.1808B () guardian htu tuwien ac at>
Content-Description: icmp broadcast echo patch

LS0tIGljbXBfb3JpZy5jCVRodSBPY3QgMTYgMTM6NTc6NDggMTk5Nw0KKysr
IGljbXAuYwlUaHUgT2N0IDE2IDEzOjU4OjI2IDE5OTcNCkBAIC0xMTA4LDEy
ICsxMTA4LDkgQEANCiAJCSAqCWJ5IHNvbWUgbmV0d29yayBtYXBwaW5nIHRv
b2xzKS4NCiAJCSAqCVJGQyAxMTIyOiAzLjIuMi44IEFuIElDTVBfVElNRVNU
QU1QIE1BWSBiZSBzaWxlbnRseSBkaXNjYXJkZWQgaWYgdG8gYnJvYWRjYXN0
L211bHRpY2FzdC4NCiAJCSAqLw0KLQkJaWYgKGljbXBoLT50eXBlICE9IElD
TVBfRUNITykgDQotCQl7DQogCQkJaWNtcF9zdGF0aXN0aWNzLkljbXBJbkVy
cm9ycysrOw0KIAkJCWtmcmVlX3NrYihza2IsIEZSRUVfUkVBRCk7DQogCQkJ
cmV0dXJuKDApOw0KLSAgCQl9DQogICAJCS8qDQogICAJCSAqCVJlcGx5IHRo
ZSBtdWx0aWNhc3QvYnJvYWRjYXN0IHVzaW5nIGEgbGVnYWwNCiAgIAkJICoJ
aW50ZXJmYWNlIC0gaW4gdGhpcyBjYXNlIHRoZSBkZXZpY2Ugd2UgZ290DQo=
---2105513641-1199168586-877008155=:1808--
Previous By Date Next
Previous By Thread Next

Current thread: