[plug] local DoS with ping -R

[Matt Kemner]

On Mon, 13 Dec 1999, Anthony J. Breeds-Taurima wrote:

> This means you can't atack someone from 2.1, without hacking ping.c It
> doesn't mean you can't be attacked by someone (... well you're obviously
> behind a f/w so that doesn't count)  BUT if you're box had a real IP I
> recon you'd be vulnerable

You are missing the point.. There are actually three issues here.

1. Some versions of pings allow "mere mortals" to create large packets
   with -s and use those packets to flood somebody else's link.
   You can also flood someone's link from your own box as root, but you
   are limited by the size of your own link, which is why the -s problem
   only really applies for ISPs, where you don't want "mere mortals" to
   use your big E1 link to flood some poor soul's 56k link.
   (Of course there are easier ways to flood someone's link that don't
    require root access, such as sending lots and lots of large UDP
    packets)

2. (my original reason for posting, and the most recent ping bug)
   Some versions of ping allow you to create an invalid packet with
   "ping -s 65468 -R" that crashes the machine _you are running ping on_.
   This is mainly a problem for ISPs etc. where you cannot trust local
   users

3. Some versions of ping (that ping a host every second by default) rely
   on the "ALARM" signal to tell if a second has passed yet, so you can
   trick it to send pings several times a second by sending it the alarm
   signal several times a second.
   I think this has also been fixed in recent versions of ping.
   (At least I can't reproduce it with the version of ping that I could
    successfully crash the 2.0 machine with :)
   See http://www.securityfocus.com/templates/archive.pike?list=1&msg=352CAAE8.CC902ABA@mclink.it
   for a sample exploit program.

 - Matt