[2248] in linux-security and linux-alert archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
No subject found in mail header

daemon@ATHENA.MIT.EDU (list@lists.redhat.com)
Wed Nov 10 18:35:25 1999

Date: 9 Nov 1999 08:32:15 -0000
Message-ID: <19991109083215.30592.qmail@lists.redhat.com>
From: list@lists.redhat.com
Cc: recipient list not shown: ;

	by bolex.bolex.co.yu (8.9.3/8.9.3) with ESMTP id BAA00818
	for <linux-security@redhat.com>; Tue, 9 Nov 1999 01:08:47 +0100
Date: Tue, 9 Nov 1999 01:08:47 +0100 (CET)
From: Bosko Radivojevic <bole@bolex.bolex.co.yu>
To: linux-security@redhat.com
Subject: Nasty ping with pattern '+++ATH0' - how to stop?
Message-ID: <Pine.LNX.4.05.9911090106430.782-200000@bolex.bolex.co.yu>
MIME-Version: 1.0
Content-ID: <Pine.LNX.4.05.9911090106431.782@bolex.bolex.co.yu>
Content-Type: MULTIPART/MIXED; BOUNDARY="-254429440-263939506-942031020=:4810"
Resent-Message-ID: <"nLcGM1.0.vR7.Dmz9u"@lists.redhat.com>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
X-Mailing-List: <linux-security@redhat.com> archive/latest/26
X-Loop: linux-security@redhat.com
Precedence: list
Resent-Sender: linux-security-request@redhat.com

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

---254429440-263939506-942031020=:4810
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.05.9911090106432.782@bolex.bolex.co.yu>

Hello!

Well-known thing is abusive use of ping abillity to fill out the ICMP
packet with '+++ATH0', which will cause hangup on 'bad' modems. The
defense, at the clinet side, is to add 'S2=255' to modem settings. 

This 'technique' is used in irc wars, and other abusive attacks, and shell
providers have a lot of problems with that. There are two ways to forbid
users of doing all those 'hangups'. First, is to close outgoing pings, and
second one is to disallow using ping with -p option (wrapper, directly in
code, etc). But, -p option could be useful for diagnosing data-dependent
problems in a network, so better solution is to log usings of ping -p
option.

This little patch (in attachment) will enable logging via syslogd(8).
Messages are logged with 'warrning' priority, and consist of PID, UID,
pattern, and pinged target. Patch is made for netkit-base-0.10, a part of
Slackware, and other distributions too.

Sincerely,
Bosko

[mod: Logging at the ISP will not help people who have a decent
machine/modem from pinging others. People who are annoyed by others
shutting down their link can specify "escape 41 61" to have ppp escape
all A's before transmission. (Untested: my link didn't hangup when I
tried it...) -- REW ]


---254429440-263939506-942031020=:4810
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="netkit-base-0.10-ping-patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.05.9911090108470.782@bolex.bolex.co.yu>
Content-Description: 
Content-Disposition: attachment; filename="netkit-base-0.10-ping-patch"

LS0tIG5ldGtpdC1iYXNlLTAuMTAtb2xkL3BpbmcvcGluZy5jCVN1biBKdW4g
IDggMjE6Mzk6NTAgMTk5Nw0KKysrIG5ldGtpdC1iYXNlLTAuMTAvcGluZy9w
aW5nLmMJTW9uIE5vdiAgOCAwMzoxMDozOCAxOTk5DQpAQCAtNjYsNyArNjYs
OCBAQA0KICNpbmNsdWRlIDxzeXMvZmlsZS5oPg0KICNpbmNsdWRlIDxzeXMv
dGltZS5oPg0KICNpbmNsdWRlIDxzeXMvc2lnbmFsLmg+DQotDQorI2luY2x1
ZGUgPHN5c2xvZy5oPg0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgDQogI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiAjaW5jbHVkZSA8
bmV0aW5ldC9pcC5oPg0KICNpbmNsdWRlIDxuZXRpbmV0L2lwX2ljbXAuaD4N
CkBAIC0xOTcsNiArMTk4LDkgQEANCiBzdGF0aWMgdm9pZCBwcl9pY21waChz
dHJ1Y3QgaWNtcGhkciAqaWNwKTsNCiBzdGF0aWMgdm9pZCBwcl9yZXRpcChz
dHJ1Y3QgaXBoZHIgKmlwKTsNCiANCisjaWZkZWYgTE9HX1BBVFRFUk5fVVNF
DQorY2hhciBfcGF0dGVyblsxN107DQorI2VuZGlmDQogDQogaW50DQogbWFp
bihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0KQEAgLTI5MSw2ICsyOTUsOSBA
QA0KIAkJY2FzZSAncCc6CQkvKiBmaWxsIGJ1ZmZlciB3aXRoIHVzZXIgcGF0
dGVybiAqLw0KIAkJCW9wdGlvbnMgfD0gRl9QSU5HRklMTEVEOw0KIAkJCWZp
bGwoZGF0YXAsIG9wdGFyZyk7DQorI2lmZGVmIExPR19QQVRURVJOX1VTRQ0K
KwkJCXN0cm5jcHkgKF9wYXR0ZXJuLCBvcHRhcmcsIDE2KTsNCisjZW5kaWYN
CiAJCQlicmVhazsNCiAJCWNhc2UgJ3EnOg0KIAkJCW9wdGlvbnMgfD0gRl9R
VUlFVDsNCkBAIC0zNTYsOSArMzYzLDIyIEBADQogCQl1c2FnZSgpOw0KIAl0
YXJnZXQgPSAqYXJndjsNCiANCisjaWZkZWYgTE9HX1BBVFRFUk5fVVNFDQor
CWlmIChvcHRpb25zICE9IChvcHRpb25zJn5GX1BJTkdGSUxMRUQpKSB7ICAg
IC8qIHBhdHRlcm4gd2FzIHVzZWQgKi8NCisJCWNoYXIgKmxpbmU7DQorCQkN
CisJCW9wZW5sb2cgKCJwaW5nIiwgTE9HX1BJRCwgTE9HX0FVVEhQUklWKTsN
CisJCWxpbmUgPSAoY2hhciAqKSBtYWxsb2MgKDEwMjQpOw0KKwkJc25wcmlu
dGYgKGxpbmUsIDEwMjMsICJVSUQ9JWQgdXNlZCB3aXRoIHBhdHRlcm4gJyVz
JyBvbiBob3N0ICVzXG4iLCBnZXR1aWQoKSwgX3BhdHRlcm4sIHRhcmdldCk7
DQorCQlzeXNsb2cgKExPR19XQVJOSU5HLCAiJXMiLCBsaW5lKTsNCisJCWNs
b3NlbG9nICgpOw0KKwkJZnJlZSAobGluZSk7DQorCX0NCisjZW5kaWYNCiAJ
bWVtc2V0KCZ3aGVyZXRvLCAwLCBzaXplb2Yoc3RydWN0IHNvY2thZGRyKSk7
DQogCXRvID0gKHN0cnVjdCBzb2NrYWRkcl9pbiAqKSZ3aGVyZXRvOw0KKw0K
CXRvLT5zaW5fZmFtaWx5ID0gQUZfSU5FVDsNCglpZiAoaW5ldF9hdG9uKHRh
cmdldCwgJnRvLT5zaW5fYWRkcikpIHsNCgkJaG9zdG5hbWUgPSB0YXJnZXQ7
DQoNCi0tLSBuZXRraXQtYmFzZS0wLjEwLW9sZC9jb25maWd1cmUJTW9uIE1h
eSAxOSAxMTo1NTowMCAxOTk3DQorKysgbmV0a2l0LWJhc2UtMC4xMC9jb25m
aWd1cmUJTW9uIE5vdiAgOCAwMzo1NjoyNiAxOTk5DQpAQCAtMjgsNiArMjgs
NyBAQA0KICAgICAtLWRhZW1vbm1vZGU9bW9kZSAgICAgTW9kZSBmb3IgZGFl
bW9uIGJpbmFyaWVzIFtzYW1lIGFzIGJpbm1vZGVdDQogICAgIC0tbWFubW9k
ZT1tb2RlICAgICAgICBNb2RlIGZvciBtYW51YWwgcGFnZXMgWzY0NF0NCiAg
ICAgLS1zdWlkbW9kZT1tb2RlICAgICAgIE1vZGUgZm9yIHNldHVpZCBwcm9n
cmFtcyBbNDc1NV0NCisgICAgLS1wYXR0ZXJuLWxvZ2dpbmcgICAgIEVuYWJs
ZSBsb2dnaW5nIHBpbmcgd2l0aCBwYXR0ZXJuDQogRU9GDQogCWV4aXQgMDs7
DQogCS0tdmVyYm9zZSkgOzsNCkBAIC00Miw2ICs0Myw4IEBADQogCS0tZGFl
bW9ubW9kZT0qKSBEQUVNT05NT0RFPWBlY2hvICQxIHwgc2VkICdzLy0tZGFl
bW9ubW9kZT0vLydgIDs7DQogCS0tbWFubW9kZT0qKSBNQU5NT0RFPWBlY2hv
ICQxIHwgc2VkICdzLy0tbWFubW9kZT0vLydgIDs7DQogCS0tc3VpZG1vZGU9
KikgU1VJRE1PREU9YGVjaG8gJDEgfCBzZWQgJ3MvLS1zdWlkbW9kZT0vLydg
IDs7DQorICAgICAgICAtLXBhdHRlcm4tbG9nZ2luZykgUEFUVEVSTl9MT0c9
MTs7DQorDQogCSopIGVjaG8gIlVucmVjb2duaXplZCBvcHRpb246ICQxIjsg
ZXhpdCAxOzsNCiBlc2FjIA0KIHNoaWZ0DQpAQCAtNTA1LDYgKzUwOCwxMyBA
QA0KICAgQ0ZMQUdTPSIke0NGTEFHU30gLURfX1VTRV9CU0RfU0lHTkFMIg0K
IGZpO2ZpDQogDQorDQorIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQor
DQoraWYgWyAiJFBBVFRFUk5fTE9HIiA9ICIxIiBdOyB0aGVuDQorCUNGTEFH
Uz0iJHtDRkxBR1N9IC1ETE9HX1BBVFRFUk5fVVNFIg0KKwllY2hvICJBZGRl
ZCAtRExPR19QQVRURVJOX1VTRSB0byBDRkxBR1MuLi4iDQorZmkNCiANCiAj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiANCg==
---254429440-263939506-942031020=:4810--

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[2248] in linux-security and linux-alert archive

No subject found in mail header

daemon@ATHENA.MIT.EDU (list@lists.redhat.com)Wed Nov 10 18:35:25 1999

daemon@ATHENA.MIT.EDU (list@lists.redhat.com)
Wed Nov 10 18:35:25 1999
