livingston-PM3-DoS.txt

1999-08-17T00:00:00
ID PACKETSTORM:12343
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Wed, 13 Jan 1999 10:13:55 +0100  
From: David TILLOY <dav@NNX.COM>  
To: BUGTRAQ@netspace.org  
Subject: [(PM) PM3s Die - Comfirmed DoS Attack (fwd)]  
  
This is a message from Livingston PM3 users mailing-list. It seems there  
is a problem with PM3, and Lucent work on this bug. At this time, the  
solution is give a the end of this message...  
  
Best Regards,  
David.  
  
----- Forwarded message from Romain GUESDON <guesdon@nnx.com> -----  
  
---------- Forwarded message ----------  
Date: Tue, 12 Jan 1999 14:50:35 -0700 (MST)  
>From: Doug Ingraham <dpi@rapidnet.com>  
To: Robert Blayzor <robert@superior.net>  
Cc: portmaster-users@livingston.com  
Subject: Re: (PM) PM3s Die - Comfirmed DoS Attack  
  
On Tue, 12 Jan 1999, Robert Blayzor wrote:  
  
> Yes, it's confirmed. PM3's are susceptible to a heavy DoS attack.  
> Anyone with access to a decent (T1 or possibly less) Internet connection  
> can completely hose your ethernet segment on which your PM3(s) live.  
>  
> For security reasons I will not post how to reproduce the problem here.  
> But if you monitor your PM3's and your network closely, you'll know  
> when this happens. Suddenly, your PM3 segment will go from about 50k  
> to over 6M+ (or more)...  
>  
> The problem has been reported to Lucent and they said they will be  
> working on it. I just want to let everyone be aware that if you start  
> seeing this problem on your network, you'll know why.  
>  
> I will hint to you that it has to do with the PM3 advertising routes  
> on your network, but when packets arrive at the PM3, the PM3 stupidly  
> forwards the packets back to the gateway, causing a packet loop on  
> your network until the TTL expires.  
>  
> -Enjoy, this one is a fun one.  
  
This was discussed a long time ago. I ran into it on one of my PM-2's  
before the PM3 even existed. The solution is an ofilter on the ethernet.  
  
If your pm's ethernet address is 192.168.0.10 and If your assigned IP's  
are 192.168.2.16 with a poolsize of 48 as an example your filter needs to  
look like:  
  
add fil e.out  
set fil e.out 1 permit 192.168.2.32/27  
set fil e.out 2 permit 192.168.2.16/28  
set fil e.out 3 permit 192.168.0.10/32  
set fil e.out 4 deny log  
  
If you have routes assigned by radius you will need to also include those  
permits.  
  
This solves the problem because it allows the box to only source routes  
that it is supposed to be able to source. If you do this on all boxes and  
on your borders nobody will be able to spoof those IP addresses and inject  
them into your network and so they won't bounce between your PM and your  
router like they do now a couple of hundred times before the ttl expires.  
  
Doug Ingraham You can judge the quality of your life by how often  
Rapid City, SD you notice the enjoyment of the little things.  
USA  
----- End forwarded message -----  
  
--  
David TILLOY . Neuronnexion (nnx)  
19/21, rue des Augustins . 80000 Amiens . FRANCE  
Tel (+33 3).22.71.61.90 . Fax (+33 3).22.71.61.99  
Mailto:David.TILLOY@neuronnexion.fr  
  
`