[113] in bugtraq
Re: udp packet storms
daemon@ATHENA.MIT.EDU (Jas (Matthew K))
Sun Oct 30 07:46:31 1994
From: matt@uts.EDU.AU (Jas (Matthew K))
To: rwing!pat@ole.cdac.com (Pat Myrto)
Date: Sun, 30 Oct 1994 22:15:21 +1000 (EST)
Cc: bugtraq@fc.net (Bugtraq Mailing List)
In-Reply-To: <9410300525.AA08451@rwing.UUCP> from "Pat Myrto" at Oct 29, 94 10:25:13 pm
Pat Myrto wrote this...
>
> "In the previous message, Tim Newsham said..."
> >
> >
> > There's at least one way to make a UDP packet storm. Not
> > very hard to do:
> >
> > src address = 255.255.255.255 port 7
> > dst address = <some host> port 7
> >
> > the port will be echoed by the inetd (echo port) back to the
> > sender (255.255.255.255 port 7). Each machine with an inetd
> > that has echo enabled will echo the packet back to the first
> > machine. Broadcast addresses need not be used:
> >
> > src address = <some host> port 7
> > dst address = <some other host> port 7
> >
> > I imagine the same can be done with talkd packets. UDP source
> > addresses are easy to forge.
>
> That's interesting - it amounts to a feedback loop (in electrical
> or audio terminology). Is there a way to interrupt this sort of
> thing (short of killing inetd or the involved daemon) or rebooting (a
> drastic method of doing the same thing)?
>
> How would one prevent this without disabling the udp services?
hack up inetd to check for broadcast src addresses and/or kill source
routing (or at the very least restrict it).
Matt
--
Matthew Keenan
Systems Programmer Information Technology Division
University of Technology Sydney Australia
www: http://milliways.itd.uts.edu.au/~matt/
email: matt@uts.edu.au
phone: +61 2 330 1390 "Don't murder a man who is about
fax: +61 2 330 1999 to commit suicide."
home: +61 2 416 5722 -- Machiavelli
GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$
UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+
!5>++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y
