SUMMARY: large ping packet attacks

From: Hanna, Brian (Brian.Hanna@dataserv.com)
Date: Tue Oct 29 1996 - 19:23:00 CST


My original question:

>To respond to this security threat, I'm attempting to tell my firewall to
>not respond to ping packets. I've commented out the "echo" service and
>"portmapper" is no longer running... but still the annoying "firewall is
>alive" (i.e. vulnerable) message.
>Is Sun vulnerable to large ping packets? How do I turn off ping?

The answer appears to be to screen ICMP from the outside world via
a screening router. Many thanks to the wise ones who shared.

Brian Hanna

Benjamin Cline (benji@hnt.com) wrote:

Ping uses the ICMP protocol, short of some heavy duty kernel hacking, there
isn't any easy way to turn off ICMP. You could consider turning off ICMP
(or ICMP echo packets) using your router or firewall software.

Bob Woodward (bobw@kramer.filmworks.com) wrote:

There was a message in the news groups that talked about this problem. I
followed all the links and about three links in was a listing of problem
and safe system. Solaris 2.4 and 2.5 were listed as safe but since I run
2.5, that's as far as I can say about safe or not.

Claus Assmann (ca@informatik.uni-kiel.de) wrote:

Sun SPARC isn't vulnerable (as far as I remember). Take a look at:
http://www.sophist.demon.co.uk/ping/ for a list of affected systems.

pate (peyler@nortom.com) wrote:

Brian, your best bet is to include a router between your bastion host
and the outside world, then you can prefilter traffic to it. Barring
that, ping is part of the icmp protocol, and isn't affected by tcp or
udp services being present or shut off.

shane.bouslough (shane.bouslough@peri.com) wrote:

You have to disable ICMP protocol packets. This is the protocol
used by ping and traceroute. Normally this is done with a simple
filter in a router in front of your firewall, not your Sun box
(I'm not even sure if it's possible in the Sun box).

but Tox Gunn (tox@remarque.berkeley.edu) put it best when he wrote:

You could simple shut down ICMP at the upstream router.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:14 CDT