#1
  1. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Location
    Toronto, Canada
    Posts
    22
    Rep Power
    0

    HELP!! Invalid ICMP error


    Dear all,
    I've got this error message on my Redhat6.2 "209.3.198.22 sent an invalid ICMP error to a broadcast" then my linux box has been locked up. I can't even login in local. Please let me how can I login again and how can I prevent this attack again.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    191
    Probably it is a kernel bug.
    Connect a keyboard and monitor to your box. most likely it is totatlly frozen.
    This could be one of the well-known DOS-attacks against the linux tcp-ip stack in older versions.
    to prevent it from happening again, you can do two things:
    - upgrade your kernel
    - setup ipchains/iptables not to allow this type of icmp (if it is not a vital one)

    one tip: once you have the keyboard connected to your machine, press alt-print-space and see if you get an answer on one of the consoles.
    if yes, you are lucky and probably wonīt lose any data (if you use ext3, you wonīt anyway )
    then you can do alt-print-S (SYNC, best twice with 10 seconds in between). then alt-print-U (UMOUNT all Filesystems). then reboot your machine (alt-print-B i think) and go immediately into single-user mode. unless you use only journaling filesystems, you need to force FSCK after this kind of crash!

    Manuel
  4. #3
  5. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Location
    Toronto, Canada
    Posts
    22
    Rep Power
    0
    THANK YOU VERY MUCH M.Hirsch!! I haven't tired it yet, I'll let you know if I need other help. Thanks again.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> This could be one of the well-known DOS-attacks

    That's actually known as smurf attack. In old version of BSDs you can run sysctl and turn that (net.inet.icmp.bmcastecho) off explicitly.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    191
    of course you can do that in linux too... itīs hidden somewhere in the proc-fs, but i cannot tell you right now where exactly (as my linux pc just had a HD-crash)

    tnx for the hint anyway.

    and iīll look it up as soon as i found the time (and money) to order a new hd...
  10. #6
  11. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Location
    Toronto, Canada
    Posts
    22
    Rep Power
    0
    Originally posted by freebsd
    >> This could be one of the well-known DOS-attacks

    That's actually known as smurf attack. In old version of BSDs you can run sysctl and turn that (net.inet.icmp.bmcastecho) off explicitly.
    Thanks for you help. But how to use sysctl? could you show me the command line?
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    191
    you asked in a linux forum, are u using linux or freebsd? the kernel-level stuff is quite different!

    for linux docs, refer to /usr/src/linux/Documentation/proc-fs.txt (or similar, canīt look it up right now) if you have kernel sources installed.

    [edit]
    looking at your first post again, you are using linux (redhat)
    so the sysctl is of no use for you
    the command line for linux is similar to (but not 100% the same since i cannot look up the correct syntax right now):
    echo 1 > /proc/sys/net/ipv4/ignore_icmp_broadcasts
    [/edit]
    Last edited by M.Hirsch; March 11th, 2002 at 06:00 PM.

IMN logo majestic logo threadwatch logo seochat tools logo