Router programming,source routes and spoofed ICMP attacks.

[alan () manawatu planet org nz (Alan Brown)]

There's been an alarming increase in the incidence of ICMP attacks based
around forged host/port unreachable messages recently, particularly on IRC
servers as all it takes is one of these paackets to cause client
disconnects or even server splits.

The culprit is a windows version of that old nasty, nuke.c
It's in wide distribution among the warez fraternity as it's a useful
tool for them to prevent IRC administrators from working effectively.

Apart from IRC, a machine being knocked off its connection by a constant
stream of unreachables can then be spoofed for other possibly more
serious attacks.

A few pointers for routers will help reduce some of the damage.

1: Unless you have a reason not to, set all routers to dump source
   routed frames. This is the default on some brands, but it isn't
   on Ciscos (IMHO this is wrong but I'm not Cisco).
   For Ciscos, once in configuration mode, set "no ip source-route",
   then exit and write.

2: If you run a vulnerable machine (IRC or other chat server), consider
   blocking icmp from outside your network from being passed through if
   it's destined for that server.

Ciscos set to dump source routed IP still pass forged ICMP.
Securicor 3net assure me that their routers don't and I have no
information on any others.

These aren't going to help much when it comes to attacks from inside
a site's routing cloud but it at least helps cut down on externals...

I have the sourcecode to nuke.c and binaries of wnuke here but I'm not
particularly happy with the thought of handing them out for obvious
reasons, though they're probably readily available if one looks in the
"right" places.

AB

"...pending my interrogation and stuck for an excuse, I came up with
    two more variations on pastry abuse..."