Vulnerability Development mailing list archives
"Re: ping flooding as normal user" and strange icmp behavior with Linux 2.4
From: Weston Pawlowski <bug () WESTON CX>
Date: Thu, 17 Aug 2000 22:00:44 -0000
Although 60000 will work, 65470 will not. There is an upper limit, it is just a bit high. My LRP box (kernel 2.0.36) won't reply to anything above 52350, however my server (kernel 2.4.0-test4) will reply to anything. In any case, you can reduce the effectiveness of a ping flood by setting your box to simply not reply to icmp echo-requests. A ping flood can still clog your bandwidth, but at least you wont be replying to all those pings and clogging your upstream bandwidth as well. It's also a good idea to prevent normal users from using ping. "chmod 700 /bin/ping" should do the trick. A better idea would be to allow normal users to use ping, but only allow normal pings (no options like "-p" and "-s"). That way they'd have a much harder time using your machine to DoS someone by flooding or sending an echo-request containing "+++ATH" to someone with a vulernable modem, etc. Maybe even limit the rate of non-root pings being sent from your system, so that a user couldn't log in several times and have each of his sessions pinging someone. Here's how to ingore pings: ipfwadm (Linux 2.0): ipfwadm -I -a deny -P icmp -S 0.0.0.0/0 8 ipchains (Linux 2.2): ipchains -I input -p ICMP --icmp-type echo-request -j DENY iptables (Linux 2.4): iptables -I INPUT -p ICMP --icmp-type echo-request -j DROP Something strange that I noticed while experimenting with ping is that setting a size of 65465 to 65468 and pinging one of my Linux 2.4.0-test4 boxes causes it to dump a lot of hex: [weston@bug weston]$ ping -s 65468 192.168.22.1 | more PING 192.168.22.1 (192.168.22.1): 65468 data bytes 65476 bytes from 192.168.22.1: icmp_seq=0 ttl=255 time=14.7 ms wrong data byte #65464 should be 0xb9 but was 0xb8 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 <then a lot more hex> Does anyone know what is going on there? I don't think it's a security problem, as it doesn't seem to have any effect on either the sender or the recepient (both are using Linux 2.4.0-test4). -Weston Bug () Weston cx --- Hello, I'm not sure if it's new informations, but as far as I can see it works at least on most of current systems (worked everywhere I could test it). The problem is: -s parameter of ping command has no upper limit for normal users. This allows normal users to send for example 1 * 60000 bytes of ICMP data per second (from one copy of ping invoked) I think it's just great for DoSing ;o) Bye, Slawek
Current thread:
- ping flooding as normal user Slawek (Aug 14)
- Re: ping flooding as normal user Bluefish (Aug 14)
- Re: ping flooding as normal user Pavel Kankovsky (Aug 15)
- Re: ping flooding as normal user Daniel Petzen (Aug 15)
- Re: ping flooding as normal user Glen Rosenblatt (Aug 14)
- Re: ping flooding as normal user Slawek (Aug 14)
- Re: ping flooding as normal user Cam (Aug 15)
- Re: ping flooding as normal user Slawek (Aug 14)
- "Re: ping flooding as normal user" and strange icmp behavior with Linux 2.4 Weston Pawlowski (Aug 17)
- Re: "Re: ping flooding as normal user" and strange icmp behavior withLinux 2.4 Sebastian Pape (Aug 18)
- Re: "Re: ping flooding as normal user" and strange icmp behavior with Linux 2.4 Slawek (Aug 20)
- Re: ping flooding as normal user Bluefish (Aug 14)