===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Henk Steenman                               Index  :    S-96-04
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : UDP Port Denial-of-Service Attack           Date   :  09-Feb-96
===============================================================================

By courtesy of CERT Coordination Center we received the following information.

In CERT Coordination Centre Advisory CA-96.01, possiblities to cause denial of 
service and possible solutions are reported. 

This vulnerability allows performance degradation

This advisory provides methods to minimize the effect of this threat.

CERT-NL recommends to take very good notice if this applies to your situation,
and take relevant steps.

Additional information with regards to this vulnerability is placed in 
the README file associated with the advisory. You are encouraged to check 
on README file updates regularly. You can automate that process by using 
the CERT-NL notifier service. 

All CERT Coordination Center advisories and README's are mirrored by CERT-NL.
The specific URL's for this case are:

ftp://ftp.surfnet.nl/surfnet/net-security/cert-cc-mirror/
		cert_advisories/CA-96.UDP_service_denial
ftp://ftp.surfnet.nl/surfnet/net-security/cert-cc-mirror/
		cert_advisories/CA-96:01.README

More information about the CERT-NL mirror and notifier services is 
contained in News items N-95-01 (notifier) and N-95-02 (CERT mirror), 
both present on ftp://ftp.surfnet.nl/surfnet/net-security/cert-nl/docs/news/

==============================================================================


=============================================================================
CERT(sm) Advisory CA-96.01
February 8, 1996
Topic: UDP Port Denial-of-Service Attack
-----------------------------------------------------------------------------

The CERT Coordination Center has received reports of programs that launch
denial-of-service attacks by creating a "UDP packet storm" either on a system
or between two systems. An attack on one host causes that host to perform
poorly. An attack between two hosts can cause extreme network congestion in
addition to adversely affecting host performance.

The CERT staff recommends disabling unneeded UDP services on each host, in
particular the chargen and echo services, and filtering these services at the
firewall or Internet gateway.

Because the UDP port denial-of-service attacks typically involve IP spoofing,
we encourage you to follow the recommendations in advisory CA-95:01 and
CA-95:01.README.

As we receive additional information relating to this advisory, we
will place it in
        ftp://info.cert.org/pub/cert_advisories/CA-96.01.README

We encourage you to check our README files regularly for updates on
advisories that relate to your site.

-----------------------------------------------------------------------------

I.   Description 

     When a connection is established between two UDP services,
     each of which produces output, these two services can produce a
     very high number of packets that can lead to a denial of service
     on the machine(s) where the services are offered. Anyone with network
     connectivity can launch an attack; no account access is needed.
     
     For example, by connecting a host's chargen service to the echo service
     on the same or another machine, all affected machines may be
     effectively taken out of service because of the excessively high number
     of packets produced. In addition, if two or more hosts are so connected,
     the intervening network may also become congested and deny service
     to all hosts whose traffic traverses that network.

II.  Impact
     
     Anyone with network connectivity can cause a denial of service.
     This attack does not enable them to gain additional access.

III. Solution
     We recommend taking all the steps described below.

     1. Disable and filter chargen and echo services.
        This attack is most readily exploited using the chargen or echo
        services, neither of which is generally needed as far as we are aware.
        We recommend that you disable both services on the host and filter
        them at the firewall or Internet gateway.

        To disable these services on a host, it is necessary to edit the
        inetd configuration file and cause inetd to begin using the new
        configuration. Exactly how to do this is system dependent so you
        should check your vendor's documentation for inetd(8); but on many
        UNIX systems the steps will be as follows:
         (1) Edit the inetd configuration file (e.g. /etc/inetd.conf).
         (2) Comment out the echo, chargen, and other UDP services not used.
         (3) Cause the inetd process to reread the configuration file
             (e.g., by sending it a HUP signal).

     2. Disable and filter other unused UDP services.
        To protect against similar attacks against other services, we
        recommend
           -  disabling all unused UDP services on hosts and
           -  blocking at firewalls all UDP ports less than 900 with 
              the exception of specific services you require, such as
              DNS (port 53). 
     
     3. If you must provide external access to some UDP services, consider
        using a proxy mechanism to protect that service from misuse.
        Techniques to do this are discussed in Chapter 8, "Configuring
        Internet Services," in _Building Internet Firewalls_ by Chapman
        and Zwicky (see Section IV below).

     4. Monitor your network.
        If you do provide external UDP services, we recommend monitoring
        your network to learn which systems are using these services and
        to monitor for signs of misuse. Tools for doing so include Argus,
        tcpdump, and netlog.

        Argus is available from
             ftp://lancaster.andrew.cmu.edu/pub/argus-1.5/argus-1.5.tar.gz
             MD5 (argus-1.5.tar.gz) = 9c7052fb1742f9f6232a890267c03f3c
     
             Note that Argus requires the TCP wrappers to install:
             ftp://info.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.2.tar.Z
             MD5 (tcp_wrappers_7.2.tar.Z) = 883d00cbd2dedd9bfc783b7065740e74

       tcpdump is available from
             ftp://ftp.ee.lbl.gov/tcpdump-3.0.2.tar.Z
             MD5 (tcpdump-3.0.2.tar.Z) = c757608d5823aa68e4061ebd4753e591
        
             Note that tcpdump requires libpcap, available at
                 ftp://ftp.ee.lbl.gov/libpcap-0.0.6.tar.Z
                 MD5 (libpcap-0.0.6.tar.Z) = cda0980f786932a7e2eebfb2641aa7a0

       netlog is available from
              ftp://net.tamu.edu/pub/security/TAMU/netlog-1.2.tar.gz
              MD5 (netlog-1.2.tar.gz) = 1dd62e7e96192456e8c75047c38e994b

      5. Take steps against IP spoofing.
         Because IP spoofing is typically involved in UDP port
         denial-of-service attacks, we encourage you to follow the
         guidance in advisory CA-95:01 and CA-95:01.README, available from

               ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing
               ftp://info.cert.org/pub/cert_advisories/CA-95:01.README
 

IV. Sources of further information about packet filtering

    For a general packet-filtering recommendations, see  
   
         ftp://info.cert.org/pub/tech_tips/packet_filtering

     For in-depth discussions of how to configure your firewall, see

         _Firewalls and Internet Security: Repelling the Wily Hacker_
         William R. Cheswick and Steven M. Bellovin 
         Addison-Wesley Publishing Company, 1994
         ISBN 0-201-63357
        
         _Building Internet Firewalls_
         Brent Chapman and Elizabeth D. Zwicky
         O'Reilly & Associates, Inc., 1995
         ISBN 1-56592-124-0

----------------------------------------------------------------------------
The CERT Coordination Center staff thanks Peter D. Skopp of Columbia
University for reporting the vulnerability and Steve Bellovin of AT&T Bell
Labs for his support in responding to this problem. 
----------------------------------------------------------------------------

============================================================================

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related
institutes.
CERT-NL is a member of the Forum of Incident Response and Security
Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a
SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
===========================================================================