Prevention Techniques (cont’d)
How to prevent being a “bounce site” in a “Smurf” or “Fraggle” attack:
Turn off directed broadcasts to networks:
Cisco: Interface command “no ip directed-broadcast”
Use access control lists (if necessary) to prevent ICMP echo requests from entering your network
Proteon: IP protocol configuration “disable directed-broadcast”
Bay Networks: Set a false static ARP address for bcast address
Encourage vendors to turn off replies for ICMP echos to broadcast addresses
- Host Requirements RFC-1122 Section 22.214.171.124 states “An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.”
- IBM has provided a setting in AIX 4.x to disable responses to broadcast addresses. It is not available in AIX 3.x. Use the "no" command to turn it off or on. NOTE: On AIX 4.x responses are DISABLED by default.
no -o bcastping=0 # disable bcast ping responses (default)
- Solaris can be set not to respond to broadcast ICMP echo requests. Add the following line to your /etc/rc2.d/S69inet startup:
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
- Starting with version 2.2.5, FreeBSD's IP stack does not respond to icmp echo requests destined to broadcast and multicast addresses by default. The sysctl parameter for this functionality is net.inet.icmp.bmcastecho.
- Under NetBSD, directed broadcasts can be disabled by using the sysctl command:
sysctl -w net.inet.ip.directed-broadcast=0
- Under Linux, one can use the CONFIG_IP_IGNORE_ECHO_REQUESTS variable to completely ignore ICMP echo requests. Of course, this violates RFC 1122.
- Any system (including Linux) with ipfw can be protected by adding rules such as:
ipfwadm -I -a deny -P icmp -D 126.96.36.199 -S 0/0 0 8
ipfwadm -I -a deny -P icmp -D 188.8.131.52 -S 0/0 0 8
(replace 184.108.40.206 and 220.127.116.11 with your base network number and broadcast address, respectively)