RE: icmp: echo reply? Am I being attacked?
Just a small correction: the broadcast address is (typically) .255, but a bit of experimentation has shown that pings to .0 and .255 result in the same response. You would be best to block both. Also, assuming that you used the command tcpdump icmp, you should see the echo request being sent to the broadcast address. Of course, as stated previously, the source of the echo request can easily be forged. Lastly, it seems as though Windows machines don't reply to pings to broadcast addresses; *nix machines, however, will. This is the likely explaination as to why all the *nix boxes were exhibiting this behaviour. As Michael Stone stated, broadcast traffic (at least ICMP) should be filtered at the router. Also disabling broadcast ICMP on the Linux boxes is a good idea regardless of the filtering on the router. Hope this helps somewhat. -- John Vivian Exxecom Network Security Analyst -- -Original Message- From: Michael Stone [mailto:[EMAIL PROTECTED] Sent: Thursday, July 27, 2000 9:46 AM To: Nuno Faria Cc: debian-security@lists.debian.org Subject: Re: icmp: echo reply? Am I being attacked? On Thu, Jul 27, 2000 at 01:15:13PM +0100, Nuno Faria wrote: Ranko Veselinovic [EMAIL PROTECTED] sent me privatly the followin e-mail which I think might be relevant for the issue in question: ___ I'm not sure but I think when you send an ICMP ECHO-Request to a broadcast address that the whole network will answer whit echo-replys. I think this is a kind of smurf-attack and the address where the replys where sent is the target of the attacker. You were just abuse for this attack. Yes, you've been used as a smurf amplifier. The best course of action is to not route broadcast addresses. (I.e., packets going to .0 are blocked at the router.) Another approach is to echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts on the linux machines. (Try putting it in a startup script.) That will keep them from replying to broadcast echos. -- Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: icmp: echo reply? Am I being attacked?
From the looks of things, your computer (neural1.fe.up.pt) is being pinged by the remote computer (bozzman.comesurfthe.net). The output you quoted in your e-mail is your computer's response to the ping. A 'ping' consists of two types of ICMP packets; an echo-request, and an echo-reply. Take a look at the network traffic for echo-requests from the hosts that your machine is sending the echo-reply to; you should see them. i may be incorrect with this next statement (corrections anyone?), if you do not see any echo-requests that correspond to the echo-replys you are seeing, then it may be possible that someone has compromised your machines. This is probably not the case, though i can't say for certain. The bottom line is that if you see the echo-requests, then mystery solved. Otherwise, you may wish to post again with more details. Hope this helps. Can anyone else provide more info? -- John Vivian Exxecom Network Security Analyst -- -Original Message- From: Nuno Faria [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 26, 2000 2:42 PM To: debian-security@lists.debian.org Subject: icmp: echo reply? Am I being attacked? Dear list members, First of all let me state where I stand. I've been using Linux (Debian) for one year now. During this year I've learnt quite a lot but on the issue of network and security I'm a complete newby. Now I think I have a security problem (although it is not exclusively mine). The problem is as follows: I am the administrator of three PCs in a local network. They all have real IP adresses. Sometimes, withou any aparent reason, some of the computers in this network start producing network trafic without any aparent reason. I do netstat and there is no indication of a network conection. I do tcpdump host machinename and I get a series of: 17:32:27.620336 neural1.fe.up.pt bozzman.comesurfthe.net: icmp: echo reply not necessarily with the same machine adress (bozzman.comesurfthe.net). The increase in the network trafic can be as high as 50kB/s. This is not a Debian or Linux specific problem as it also hapens on another machin running Digital Unix, but on the other hand, if I change one of the PCs from Linux to Win NT4 the problem stops. It reapears when I change it back to Linux. Can you help me? Can you point me to some document I might read to find information related to this subject? Thanks in advance, Nuno Faria -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
