COMMAND

    Borderware firewall

SYSTEMS AFFECTED

    Borderware firewall server v. 6.1.2 (others?)

PROBLEM

    Duane Dunston found  following.  Sending  a ping to  the broadcast
    on  the  network  causes  Borderware's  ping server to continously
    send echo request to  the entire network.   It is possible that  a
    Denial-of-Service attack  (smurf attack)  can be  executed on  the
    network  using  freely  available  exloit  code.   This  can occur
    externally if broadcast packets aren't dropped at the router or on
    the  local  network  if  other  machines aren't configured to deny
    directed broadcasts.

    This will not affect  networks behind the Borderware  Firewall but
    it will affect  machines on the  same network as  the Borderware's
    public interface.  Reproducing the exploit:

        ping xxx.xxx.xxx.255 or ping xxx.xxx.xxx.0/24

    The -f switch will perform a ping flood, see the ping man page for
    more info.

    There are freely available smurf attack exploits available on the
    internet as well.

SOLUTION

    Borderware doesn't give users access to the console to restart the
    ping server so you have to call them to restart it remotely.   For
    machines  on  the  network  that  are responding to the broadcasts
    running     Linux,     you     can     add     "1"     to      the
    /proc/sys/net/ipv4/icmp_echo_ignore_broadcast s file:

        # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    or add it to your /etc/sysctl.conf file (recommended):

        net.ipv4.icmp_echo_ignore_broadcasts = 1

    then run:

        # sysctl -w (to update the change)

    Perhaps even

        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

    would be much better.

    On a  cisco router  this line  will prevent  replies to a directed
    broadcast:

        deny ip any 0.0.0.255 255.255.255.0

    Borderware  informed  customers  that  the  pings  can  be stopped
    on-site by resetting  the interfaces, which  can be done  from the
    Borderware  client.   Provided  the  exploit  doesn't  attempt  to
    re-establish a  connection when  the network  interface comes back
    up, this is a temporary fix until the problem is corrected.