COMMAND
Borderware firewall
SYSTEMS AFFECTED
Borderware firewall server v. 6.1.2 (others?)
PROBLEM
Duane Dunston found following. Sending a ping to the broadcast
on the network causes Borderware's ping server to continously
send echo request to the entire network. It is possible that a
Denial-of-Service attack (smurf attack) can be executed on the
network using freely available exloit code. This can occur
externally if broadcast packets aren't dropped at the router or on
the local network if other machines aren't configured to deny
directed broadcasts.
This will not affect networks behind the Borderware Firewall but
it will affect machines on the same network as the Borderware's
public interface. Reproducing the exploit:
ping xxx.xxx.xxx.255 or ping xxx.xxx.xxx.0/24
The -f switch will perform a ping flood, see the ping man page for
more info.
There are freely available smurf attack exploits available on the
internet as well.
SOLUTION
Borderware doesn't give users access to the console to restart the
ping server so you have to call them to restart it remotely. For
machines on the network that are responding to the broadcasts
running Linux, you can add "1" to the
/proc/sys/net/ipv4/icmp_echo_ignore_broadcast s file:
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
or add it to your /etc/sysctl.conf file (recommended):
net.ipv4.icmp_echo_ignore_broadcasts = 1
then run:
# sysctl -w (to update the change)
Perhaps even
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
would be much better.
On a cisco router this line will prevent replies to a directed
broadcast:
deny ip any 0.0.0.255 255.255.255.0
Borderware informed customers that the pings can be stopped
on-site by resetting the interfaces, which can be done from the
Borderware client. Provided the exploit doesn't attempt to
re-establish a connection when the network interface comes back
up, this is a temporary fix until the problem is corrected.