From: SMTP%"PROBLEMS@tdr.com" 16-NOV-1994 11:45:25.24 To: EVERHART CC: Subj: 0032 - Denial of Service via fake TCP packets Date: Tue, 15 Nov 1994 21:40:00 -0500 (EST) From: Problem Reporting Service Newsgroups: tdr.problems Organization: Tansin A. Darcos & Company, Silver Spring MD USA Errors-To: PROBLEM-ERRORS@tdr.com Message-Id: <94-0032.PROBLEMS@TDR.COM> Subject: 0032 - Denial of Service via fake TCP packets To: Recipients of list Problems There has been considerable talk on the bugtraq list about the possibility of overloading a site by sending a forged packet via TCP/IP in which the claimed sender is someone other than where it came from. What I am talking about is where site C sends a data packet to site B, with the forged sender site of A, thus causing B to start sending data to A. (Under normal conditions, site C would indicate site C was the sender of the packet.) In TCP/IP there are several ports which have standard definitions for various purposes. One is the Character Generator port (CHARGEN, 19) which generates a continuous stream of ASCII characters. Another is the sink port which accepts anything thrown at it and discards it (DISCARD, 9) as well as the echo port (ECHO, 7) which will echo back what is sent to it. One possibility is to send a request to open the CHARGEN port on one site and send its output either to that same site's data sink port or its echo port, or to tie up its network connections, to have it send output to some other site's equivalent port. Thus you tie up the connection with frivolous transmissions and tie up the computers with frivolous daemon processes which are doing lots of I/O. One solution to this problem is to put up a firewall between your inside sites and the internet, which only allows certain types of traffic in some directions. Another would be, if you have equipment and know it works, to turn off and disable connections to debugging ports such as ECHO and CHARGEN. (DISCARD may be useful to keep.) In fact, it's recommended that one of the ways to reduce problems is to turn off all ports, e.g. don't have *any* Internet services at all! :) Unfortunately, while that provides the most security, it is the least useful. A better alternative is to determine which services you do use, and disable all the other ports. Another problem to be aware of is a PING request sent to an address of all 1, e.g. a broadcast ping, which can be used to have every site return its existence. This can be either useful (for a router to determine what is connected to it) or undesired (for someone trying to find the address of every machine connected on your net in order to try reading their files). Just because a service has the possibility of misuse does not mean it will be misused or that some uses may in fact be desirable. Here is a quick thumbnail look at the current list of official port numbers. It may be worth looking at for ideas. (One possibility is to look at one of the listed services and see if your site has it, and if it doesn't, is it something you could use. For example, it would be nice if MSDOS had RJE so that you could start up a terminal on the network and issue batch commands on it, for example, to run a tape backup of a network at a specific time; OS/2 can provide this capability, and I think MS Windows might be able to do so, to a limited degree.) Note: listing a port here doesn't mean these are the only ones you want to keep open; it is just an example taken from a few minutes looking at the list of official services. Failure to list a port number here doesn't mean services using an unlisted port should be denied. Here are some of the ports most places would want to keep open, as they probably represent 90% of all activity: DISCARD 9 WHOIS 43 POP Mail 110 DAYTIME 13 DNS 53 News 119 FTP 20,21 BOOT 67,68,69 Net Time 123 TELNET 23 GOPHER 70 Net Mgmt 161-162 Mail 25 The Web 80 IRC 194 TIME 37 KERBEROS 88 Here are some you might want to take a look at, and see whether you use them or need them. If you don't, does your TCP daemon refuse connections on unused ports? TCPMUX 1 Do you use TCP Multiplexing? ECHO 7 Do you need TCP/IP debugging? SYSTAT 11 Do you have a "Systat" or systemwide finger command? MSP 18 Is "Send" service available? CHARGEN 19 Do you need TCP/IP debugging? QOTD 17 Do you use Quote of the Day? PVT-MAIL 24 Do you have a private mail service? ORACLE 66 Do you run Oracle SQL? PVT-DIAL 75 Do you use private dial outs? RJE 71-74 Do you even have Remote Job Entry? PVT-RJE 77 Do you use private remote job entry? Do you even use RJE at all? FINGER 79 Does your site provide Finger? RTELNET 107 Does your site provide remote telnet? POP2 109 Do you provide POP2 mail service? SUNRPC 111 Do you use Remote Procedure Calls? INGRES 134 Do you run Ingres? APPLETALK 201-208 Do you have anything using Appletalk? RFC1700 is the latest list of all "official" protocols. If you have something private on a service that doesn't use one of the above protocols, then you may be using one of the ports for something "unofficial", e.g. using a port reserved for IBM services for something else on a CDC, or using a Unisys service port for other services on an IBM mainframe. Your comments on this issue are welcomed. ----- Paul Robinson Feel free to circulate this or other PROBLEMS messages. To Reply to this or any earlier PROBLEMS message, write to ; for private replies or subscriptions use ; or use newsgroup . Please feel free to redistribute this article widely. Guest Editorials are also welcome. This message is file ftp.digex.net:/pub/access/tdarcos/problems/0032