March 11th, 2002, 10:50 AM
HELP!! Invalid ICMP error
I've got this error message on my Redhat6.2 "22.214.171.124 sent an invalid ICMP error to a broadcast" then my linux box has been locked up. I can't even login in local. Please let me how can I login again and how can I prevent this attack again.
March 11th, 2002, 11:47 AM
Probably it is a kernel bug.
Connect a keyboard and monitor to your box. most likely it is totatlly frozen.
This could be one of the well-known DOS-attacks against the linux tcp-ip stack in older versions.
to prevent it from happening again, you can do two things:
- upgrade your kernel
- setup ipchains/iptables not to allow this type of icmp (if it is not a vital one)
one tip: once you have the keyboard connected to your machine, press alt-print-space and see if you get an answer on one of the consoles.
if yes, you are lucky and probably wonīt lose any data (if you use ext3, you wonīt anyway )
then you can do alt-print-S (SYNC, best twice with 10 seconds in between). then alt-print-U (UMOUNT all Filesystems). then reboot your machine (alt-print-B i think) and go immediately into single-user mode. unless you use only journaling filesystems, you need to force FSCK after this kind of crash!
March 11th, 2002, 02:18 PM
THANK YOU VERY MUCH M.Hirsch!! I haven't tired it yet, I'll let you know if I need other help. Thanks again.
March 11th, 2002, 02:53 PM
>> This could be one of the well-known DOS-attacks
That's actually known as smurf attack. In old version of BSDs you can run sysctl and turn that (net.inet.icmp.bmcastecho) off explicitly.
March 11th, 2002, 03:33 PM
of course you can do that in linux too... itīs hidden somewhere in the proc-fs, but i cannot tell you right now where exactly (as my linux pc just had a HD-crash)
tnx for the hint anyway.
and iīll look it up as soon as i found the time (and money) to order a new hd...
March 11th, 2002, 04:52 PM
Thanks for you help. But how to use sysctl? could you show me the command line?
March 11th, 2002, 04:56 PM
you asked in a linux forum, are u using linux or freebsd? the kernel-level stuff is quite different!
for linux docs, refer to /usr/src/linux/Documentation/proc-fs.txt (or similar, canīt look it up right now) if you have kernel sources installed.
looking at your first post again, you are using linux (redhat)
so the sysctl is of no use for you
the command line for linux is similar to (but not 100% the same since i cannot look up the correct syntax right now):
echo 1 > /proc/sys/net/ipv4/ignore_icmp_broadcasts
Last edited by M.Hirsch; March 11th, 2002 at 05:00 PM.