I understand that UDP port 7 is typically used to run echo. What I am
trying to understand is how, by sending numerous packets to port 7, is
this an attack? i.e. how does it cause a problem?
Just looking for a clear explaination.
thanks.
....for example. I understand that if you were to send numerous packets
to the broadcast address of a network using UDP on port 7...you could
potentially cause the network to be flooded, as all the computers on
that network would "echo" what they saw on UDP port 7. But what effect
would it have if you just target one specific machine, if any?
Thanks.
"Java and Swing"
>I understand that UDP port 7 is typically used to run echo. What I am
>trying to understand is how, by sending numerous packets to port 7, is
>this an attack? i.e. how does it cause a problem?
The echo answer packets are larger, and probably more numerous,
than the (ratelimited) ICMP-port-unreachable messages that you'll
get back when no echo service is running.
Thus, for a given load of request packets, more return bandwidth
is consumed.
best regards
Patrick
This is a classic attack.
It is very easy to spoof UDP and an attacker can make some machines
echo some packets to some others, causing a denial of service as a
result (slowing the machines down and saturating the network).
An attack may also involve the UDP chargen service (an hopefully mostly
unused service these days).
The right thing to do is to disable and filter the chargen and echo
services, as well as the other unused UDP services.
Kind regards
Ludovic Joly
To be more clear an efficient attack is a ping-pong type one achieved
via spoofing: A(ttacker) makes B send something to C that then sends
back something to B, etc.
Kind regards
Ludovic Joly
On 25 May 2006, in the Usenet newsgroup comp.security.misc, in article
<1148556060.006861.305160@g10g2000cwb.googlegroups.com>, Java and Swing wrote:
>I understand that UDP port 7 is typically used to run echo.
0792 Internet Control Message Protocol. J. Postel. September 1981.
(Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
(Also STD0005) (Status: STANDARD)
0862 Echo Protocol. J. Postel. May 1983. (Format: TXT=1237 bytes)
(Also STD0020) (Status: STANDARD)
TCP and UDP echo is extremely rare - most systems to not have the client
needed to create an echo request, and fewer still have the echo server
enabled. The "ping" you are used to is the ICMP Type 8 packet, and has
nothing to do with TCP or UDP.
>What I am trying to understand is how, by sending numerous packets to
>port 7, is this an attack? i.e. how does it cause a problem
Doesn't look any more of a problem than the average port scan. The remote
sends a data packet to port 7 on this system. Nothing is listening, so the
network stack sends back a RST (or ICMP Type 3 Code 3) - end of conversation.
On 25 May 2006, in the Usenet newsgroup comp.security.misc, in article
<1148557260.317929.48840@j73g2000cwa.googlegroups.com>, "Java and Swing"
>...for example. I understand that if you were to send numerous packets
>to the broadcast address of a network using UDP on port 7...you could
>potentially cause the network to be flooded, as all the computers on
>that network would "echo" what they saw on UDP port 7.
The only thing that would happen is that there _COULD_ be a bunch of RST
packets in reply. Just tried it here - _none_ of the systems on the LAN
responded. Now, if you did the same thing with an ICMP ping, you may
get a bunch of systems trying to reply. However, some operating systems
(windoze being one) _ignore_ ICMP pings to a broadcast address. Other
systems may be configured to ignore just broadcast pings, or all pings.
The reason is simple - l33t wankers have discovered it is possible to
waste resources (network bandwidth) with pings, and as this service is
not needed to make networking work, many administrators have disabled the
service.
>But what effect would it have if you just target one specific machine,
>if any?
Waste of bandwidth. When microsoft first invented networking 13 years
after everyone else, they did a shoddy job as usual. There was a problem
called the "Ping of Death", where sending an oversized ping would crash
a windoze box. Every klown in the world thought this was great sport,
until microsoft finally fixed the problem about 4 years later.
Old guy
Moe Trin wrote:
> The "ping" you are used to is the ICMP Type 8 packet, and has
> nothing to do with TCP or UDP.
Nitpick: Solaris uses TCP-SYNs for pinging.
On Thu, 25 May 2006, in the Usenet newsgroup comp.security.misc, in article
<4dmhreF1b52elU1@news.dfncis.de>, Sebastian Gottschalk wrote:
>Moe Trin wrote:
>> The "ping" you are used to is the ICMP Type 8 packet, and has
>> nothing to do with TCP or UDP.
>
>Nitpick: Solaris uses TCP-SYNs for pinging.
Oh, REALLY? That's not quite what the man page indicates. That's also
absolutely NOT what I see on the wire. Have you tried that?
NAME
ping- send ICMP (ICMP6) ECHO_REQUEST packets to network hosts
SYNOPSIS
/usr/sbin/ping host [timeout]
/usr/sbin/ping -s [-l| -U] [-adlLnrRv] [-A addr_family]
[-c traffic_class] [-g gateway [-g gateway...]] [-F flow_label]
[-I interval] [-i interface] [-P tos] [-p port] [-t ttl] host
[data_size] [npackets]
DESCRIPTION
The utility ping utilizes the ICMP (ICMP6 in IPv6) protocol's
ECHO_REQUEST datagram to elicit an ICMP (ICMP6) ECHO_RESPONSE from
the specified host or network gateway.
That a sol-10 box. The -U option (which is _not_ the default) uses UDP,
but UDP is not TCP.
-U
Send UDP packets instead of ICMP (ICMP6) packets. ping sends
UDP packets to consecutive ports expecting to receive back
ICMP (ICMP6) PORT_UNREACHABLE from the target host.
And it defaults to 33434 and incrementing (see the -p option), not port 7.
Are you thinking of 'nisping (1m)'? You may want to re-read that man page
again. Another possible application would be 'arping' or 'hping2' - neither
of which is a standard ping at all,
[compton ~]$ whatis hping2
arping (8) - sends arp and/or ip pings to a given host
hping2 (8) - send (almost) arbitrary TCP/IP packets to network hosts
[compton ~]$
and neither of which are Sun/Solaris applications (although they can be
installed from source).
Old guy