Bugtraq mailing list archives
Router programming,source routes and spoofed ICMP attacks.
From: alan () manawatu planet org nz (Alan Brown)
Date: Thu, 20 Jun 1996 17:19:33 +1200
There's been an alarming increase in the incidence of ICMP attacks based around forged host/port unreachable messages recently, particularly on IRC servers as all it takes is one of these paackets to cause client disconnects or even server splits. The culprit is a windows version of that old nasty, nuke.c It's in wide distribution among the warez fraternity as it's a useful tool for them to prevent IRC administrators from working effectively. Apart from IRC, a machine being knocked off its connection by a constant stream of unreachables can then be spoofed for other possibly more serious attacks. A few pointers for routers will help reduce some of the damage. 1: Unless you have a reason not to, set all routers to dump source routed frames. This is the default on some brands, but it isn't on Ciscos (IMHO this is wrong but I'm not Cisco). For Ciscos, once in configuration mode, set "no ip source-route", then exit and write. 2: If you run a vulnerable machine (IRC or other chat server), consider blocking icmp from outside your network from being passed through if it's destined for that server. Ciscos set to dump source routed IP still pass forged ICMP. Securicor 3net assure me that their routers don't and I have no information on any others. These aren't going to help much when it comes to attacks from inside a site's routing cloud but it at least helps cut down on externals... I have the sourcecode to nuke.c and binaries of wnuke here but I'm not particularly happy with the thought of handing them out for obvious reasons, though they're probably readily available if one looks in the "right" places. AB "...pending my interrogation and stuck for an excuse, I came up with two more variations on pastry abuse..."
Current thread:
- Sendmail 6.x+ holes? Robert A. Boyd (Jun 19)
- Re: Sendmail 6.x+ holes? Alan Brown (Jun 19)
- Re: Sendmail 6.x+ holes? Kari E. Hurtta (Jun 20)
- Re: Sendmail 6.x+ holes? Roland Dobbins (Jun 20)
- Re: Sendmail 6.x+ holes? martinh () mailhost emap co uk (Jun 24)
- Re: Sendmail 6.x+ holes? Henry W. Farkas (Jun 24)
- Re: Sendmail 6.x+ holes? Kari E. Hurtta (Jun 20)
- Router programming,source routes and spoofed ICMP attacks. Alan Brown (Jun 19)
- Re: Router programming,source routes and spoofed ICMP attacks. Brian Mitchell (Jun 20)
- Re: Router programming,source routes and spoofed ICMP attacks. Alan Brown (Jun 22)
- Re: Router programming,source routes and spoofed ICMP attacks. Brian Mitchell (Jun 24)
- Re: Router programming,source routes and spoofed ICMP attacks. Brian Mitchell (Jun 20)
- Re: Router programming,source routes and spoofed ICMP attacks. Cyrus Durgin (Jun 20)
- Re: Router programming,source routes and spoofed ICMP attacks. Yiorgos Adamopoulos (Jun 21)
- Administratrivia Aleph One (Jun 21)
- Write-only devices (Was read only devices) Paul C Leyland (Jun 21)
- Re: Write-only devices (Was read only devices) Piete Brooks (Jun 21)
- Re: Write-only devices (Was read only devices) [via LSMTP - see Paul C Leyland (Jun 24)
- nuke *Hobbit* (Jun 21)
- Re: Sendmail 6.x+ holes? Alan Brown (Jun 19)