[2753] in bugtraq
Re: Router programming,source routes and spoofed ICMP attacks.
daemon@ATHENA.MIT.EDU (Brian Mitchell)
Thu Jun 20 20:04:36 1996
Date: Thu, 20 Jun 1996 19:23:48 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Brian Mitchell <brian@saturn.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.SUN.3.90.960620170800.1411J-100000@papaioea.manawatu.gen.nz>
On Thu, 20 Jun 1996, Alan Brown wrote:
> There's been an alarming increase in the incidence of ICMP attacks based
> around forged host/port unreachable messages recently, particularly on IRC
> servers as all it takes is one of these paackets to cause client
> disconnects or even server splits.
>
> The culprit is a windows version of that old nasty, nuke.c
> It's in wide distribution among the warez fraternity as it's a useful
> tool for them to prevent IRC administrators from working effectively.
No matter, most operating systems should be immune to such things at this
point in time.
>
> Apart from IRC, a machine being knocked off its connection by a constant
> stream of unreachables can then be spoofed for other possibly more
> serious attacks.
It attacks specific connections, it wont make a machine 'unreachable', it
can merely close specific established connections.
>
> A few pointers for routers will help reduce some of the damage.
>
> 1: Unless you have a reason not to, set all routers to dump source
> routed frames. This is the default on some brands, but it isn't
> on Ciscos (IMHO this is wrong but I'm not Cisco).
> For Ciscos, once in configuration mode, set "no ip source-route",
> then exit and write.
I'd say just about anyone who cares at all about security (ie: anyone
reading this list) has source routing disabled on their routers, and
probably on their individual workstations as well.
>
> 2: If you run a vulnerable machine (IRC or other chat server), consider
> blocking icmp from outside your network from being passed through if
> it's destined for that server.
Or simply apply suitable patches so it does the correct checks on the
validity of the icmp.
>
> Ciscos set to dump source routed IP still pass forged ICMP.
> Securicor 3net assure me that their routers don't and I have no
> information on any others.
I don't quite understand this. Source routing and forged icmp have
absolutely nothing to do with one another.
>
> These aren't going to help much when it comes to attacks from inside
> a site's routing cloud but it at least helps cut down on externals...
Most venders have icmp patches, which will help on attacks from the inside.
>
> I have the sourcecode to nuke.c and binaries of wnuke here but I'm not
> particularly happy with the thought of handing them out for obvious
> reasons, though they're probably readily available if one looks in the
> "right" places.
Everyone, and I *do* mean everyone has nuke.c. It is even mentioned in
the Cheswick/Bellovin firewall book.
Brian Mitchell brian@saturn.net
Unix Security / Perl / WWW / CGI http://www.saturn.net/~brian
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman
