"Re: ping flooding as normal user" and strange icmp behavior with Linux 2.4

[Weston Pawlowski <bug () WESTON CX>]

Although 60000 will work, 65470 will not. There is an upper
limit, it is just a bit high. My LRP box (kernel 2.0.36)
won't reply to anything above 52350, however my server
(kernel 2.4.0-test4) will reply to anything.

In any case, you can reduce the effectiveness of a ping
flood by setting your box to simply not reply to icmp
echo-requests. A ping flood can still clog your bandwidth,
but at least you wont be replying to all those pings and
clogging your upstream bandwidth as well.

It's also a good idea to prevent normal users from using
ping. "chmod 700 /bin/ping" should do the trick. A better
idea would be to allow normal users to use ping, but only
allow normal pings (no options like "-p" and "-s"). That way
they'd have a much harder time using your machine to DoS
someone by flooding or sending an echo-request containing
"+++ATH" to someone with a vulernable modem, etc. Maybe even
limit the rate of non-root pings being sent from your
system, so that a user couldn't log in several times and
have each of his sessions pinging someone.

Here's how to ingore pings:
ipfwadm (Linux 2.0): ipfwadm -I -a deny -P icmp -S 0.0.0.0/0
8
ipchains (Linux 2.2): ipchains -I input -p ICMP --icmp-type
echo-request -j DENY
iptables (Linux 2.4): iptables -I INPUT -p ICMP --icmp-type
echo-request -j DROP


Something strange that I noticed while experimenting with
ping is that setting a size of 65465 to 65468 and pinging
one of my Linux 2.4.0-test4 boxes causes it to dump a lot of
hex:

[weston@bug weston]$ ping -s 65468 192.168.22.1 | more
PING 192.168.22.1 (192.168.22.1): 65468 data bytes
65476 bytes from 192.168.22.1: icmp_seq=0 ttl=255 time=14.7
ms
wrong data byte #65464 should be 0xb9 but was 0xb8
        14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27
28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 

<then a lot more hex>

Does anyone know what is going on there? I don't think it's
a security problem, as it doesn't seem to have any effect on
either the sender or the recepient (both are using Linux
2.4.0-test4).

-Weston
Bug () Weston cx


---

Hello,


I'm not sure if it's new informations, but as far as I can
see it works at
least on most of current systems (worked everywhere I could
test it).


The problem is:

-s parameter of ping command has no upper limit for normal
users.
This allows normal users to send for example 1 * 60000 bytes
of ICMP data
per second (from one copy of ping invoked)

I think it's just great for DoSing ;o)


Bye,
Slawek