2 Replies Latest reply on Jul 9, 2014 12:21 PM by geo

    Sourced ICMP Ping Requests

    joeln New Member

      I am finding out that in most Adtran products, it is possible to send out an ICMP echo request from a device with a source IP that is not configured in any of the device's interface. I have been able to do this on both Adtran 900/900e, as well as on the NetVanta 3120 and NetVanta 3448.

       

      Here is an example:

       

      The following are the configured interface IPs on a NetVanta 3448:

       

      NetVanta 3448.#sh ip int brief

      Interface                        IP Address      Status      Protocol

      eth 0/1                          172.16.67.58    UP          UP

      vlan 2                           10.1.35.21      UP          UP

      vlan 3                           10.0.0.1        UP          UP

      vlan 10                          10.10.10.1      UP          UP

      NetVanta 3448#

       

      I will now attempt to send ICMP echo requests with a source IP of 198.100.144.10

       

      NetVanta 3448#ping 69.85.0.1 source 198.100.144.10

      Type CTRL+C to abort.

      Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host

              '*' = Request timed out, '-' = Destination host unrea

              'x' = TTL expired in transit, 'e' = Unknown error

       

       

      Sending 5, 100-byte ICMP Echos to 69.85.0.1, timeout is 2 sec

      *****

      Success rate is 0 percent (0/5)

      NetVanta 3448#

       

      The remote device at 69.85.0.1 is receiving and responding to these echo requests.

      Remote_Device#

      1y13w: ICMP: echo reply sent, src 69.85.0.1, dst 198.100.144.10

      1y13w: ICMP: echo reply sent, src 69.85.0.1, dst 198.100.144.10

      1y13w: ICMP: echo reply sent, src 69.85.0.1, dst 198.100.144.10

      1y13w: ICMP: echo reply sent, src 69.85.0.1, dst 198.100.144.10

       

      This ability to source traffic with manipulated IP source headers can be exploited to launch DDoS type of attacks from Adtran devices.

       

      Is this an over sight on Adtran's side?

        • Re: Sourced ICMP Ping Requests
          jayh Hall_of_Fame

          Probably not an oversight, the same thing can be done from any laptop by manually configuring any desired (or erroneous) IP and connecting it to a network.  It is up to the ISP or provider to prevent such packets from going out to the Internet.  The extended ping command is for privileged users in enable mode who presumably know what they are doing.  The Adtran firewall when enabled has reverse port forwarding protection so a user behind the device will by default not be able to source packets from outside the network to which the device is connected.

           

          This capability is very useful as a diagnostic tool in VPN and MPLS scenarios, as well as testing NAT traversal and firewalls. 

           

          Search "BCP38" for more details on the issue.

            • Re: Sourced ICMP Ping Requests
              geo Employee

              Hello,

               

              I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the

              applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

               

              Regards,

              Geoff