Vulnerability Development mailing list archives

Re: "Re: ping flooding as normal user" and strange icmp behavior with Linux 2.4

From: Slawek <sgp () TELSATGP COM PL>
Date: Sun, 20 Aug 2000 10:36:24 +0200

Friday, August 18, 2000 12:00 AM +0200, Weston Pawlowski wrote:

Although 60000 will work, 65470 will not. There is an upper
limit, it is just a bit high. My LRP box (kernel 2.0.36)
won't reply to anything above 52350, however my server
(kernel 2.4.0-test4) will reply to anything.

In any case, you can reduce the effectiveness of a ping
flood by setting your box to simply not reply to icmp
echo-requests. A ping flood can still clog your bandwidth,
but at least you wont be replying to all those pings and
clogging your upstream bandwidth as well.


Well, in fact eating somebody's incoming bandwidth is enough most of the
time .. and disabling ping replying is not very good idea at all. I'm
disabling it temporary when I got "too many" pings.

In fact at least in my example the system didn't reply to any of the ping
just becouse it didn't received *any* of the pings "from the start to the
end" (at least one of the fragments got lost from each of them)

<snip>
Something strange that I noticed while experimenting with
ping is that setting a size of 65465 to 65468 and pinging
one of my Linux 2.4.0-test4 boxes causes it to dump a lot of
hex:

[weston@bug weston]$ ping -s 65468 192.168.22.1 | more
PING 192.168.22.1 (192.168.22.1): 65468 data bytes
65476 bytes from 192.168.22.1: icmp_seq=0 ttl=255 time=14.7
ms
wrong data byte #65464 should be 0xb9 but was 0xb8
14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27
28 29 2a 2b 2c 2d 2e 2f 30 31 32 33

<then a lot more hex>

Does anyone know what is going on there? I don't think it's
a security problem, as it doesn't seem to have any effect on
either the sender or the recepient (both are using Linux
2.4.0-test4).



Well, whis is *really* bad, this can be some overflow on large packets
handling or something like that ..

And different systems allow different maximum ping packet size .. well ..
this is not limitation of "ping" command but rather something in the kernel
.. I wonder what would happen if somebody pings some system with packet
larger it could "ping reply"


In fact I can see some DoS programs in the wild based on this problem ..
This is an explample: http://newdata.box.sk/neworder/harmless/GTMHH2-3.TXT

NOTE: I *DIDN'T* CHECK THIS OUT, sorry if it's not working ;o) .. well, in
fact I hope it's not working


Bye,
Slawek

Current thread:

ping flooding as normal user Slawek (Aug 14)
- Re: ping flooding as normal user Bluefish (Aug 14)
  - Re: ping flooding as normal user Pavel Kankovsky (Aug 15)
  - Re: ping flooding as normal user Daniel Petzen (Aug 15)
- Re: ping flooding as normal user Glen Rosenblatt (Aug 14)
  - Re: ping flooding as normal user Slawek (Aug 14)
    - Re: ping flooding as normal user Cam (Aug 15)
- "Re: ping flooding as normal user" and strange icmp behavior with Linux 2.4 Weston Pawlowski (Aug 17)
  - Re: "Re: ping flooding as normal user" and strange icmp behavior withLinux 2.4 Sebastian Pape (Aug 18)
    - Re: "Re: ping flooding as normal user" and strange icmp behaviorwithLinux 2.4 Alon Oz (Aug 20)
  - Re: "Re: ping flooding as normal user" and strange icmp behavior with Linux 2.4 Slawek (Aug 20)