| VID |
12054 |
| Severity |
30 |
| Port |
|
| Protocol |
TCP |
| Class |
Protocol |
| Detailed Description |
The machine answers to TCP packets that are coming from a multicast address. This means that the relevant machine can be exploited to initiate the denial of service attack called 'spank'.
Multicast addresses are routed (forwarded) specially by routers, they can multiply one packet into several ones. The concept would be to send out packets with a multicast (224.x.x.x) source. An affected system could send an error message back to multicast destinations, and multiply the bandwidth. A remote attacker may use this flaw to shut down the affected server and saturate the network including the server.
* Note: Please ignore this alert, if the affected system is not on a multicast enabled network.
* References:
http://www.apocalypseonline.com/security/text/spank.asp
http://www.w00w00.org/files/advisories/spank/spank.txt |
| Recommendation |
For FreeBSD "unofficial patch" by Don Lewis:
http://www.w00w00.org/files/patches/don_lewis_tcp.diff
For other distributions:
Contact your operating system vendor for upgrade or patch information.
As a workaround, filter out all incoming packets claiming to originate from multicast addresses (224.0.0.0/4). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
