cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Sourced ICMP Ping Requests

Jump to solution

I am finding out that in most Adtran products, it is possible to send out an ICMP echo request from a device with a source IP that is not configured in any of the device's interface. I have been able to do this on both Adtran 900/900e, as well as on the NetVanta 3120 and NetVanta 3448.

Here is an example:

The following are the configured interface IPs on a NetVanta 3448:

NetVanta 3448.#sh ip int brief

Interface                        IP Address      Status      Protocol

eth 0/1                          172.16.67.58    UP          UP

vlan 2                           10.1.35.21      UP          UP

vlan 3                           10.0.0.1        UP          UP

vlan 10                          10.10.10.1      UP          UP

NetVanta 3448#

I will now attempt to send ICMP echo requests with a source IP of 198.100.144.10

NetVanta 3448#ping 69.85.0.1 source 198.100.144.10

Type CTRL+C to abort.

Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host

        '*' = Request timed out, '-' = Destination host unrea

        'x' = TTL expired in transit, 'e' = Unknown error

Sending 5, 100-byte ICMP Echos to 69.85.0.1, timeout is 2 sec

*****

Success rate is 0 percent (0/5)

NetVanta 3448#

The remote device at 69.85.0.1 is receiving and responding to these echo requests.

Remote_Device#

1y13w: ICMP: echo reply sent, src 69.85.0.1, dst 198.100.144.10

1y13w: ICMP: echo reply sent, src 69.85.0.1, dst 198.100.144.10

1y13w: ICMP: echo reply sent, src 69.85.0.1, dst 198.100.144.10

1y13w: ICMP: echo reply sent, src 69.85.0.1, dst 198.100.144.10

This ability to source traffic with manipulated IP source headers can be exploited to launch DDoS type of attacks from Adtran devices.

Is this an over sight on Adtran's side?

0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: Sourced ICMP Ping Requests

Jump to solution

Probably not an oversight, the same thing can be done from any laptop by manually configuring any desired (or erroneous) IP and connecting it to a network.  It is up to the ISP or provider to prevent such packets from going out to the Internet.  The extended ping command is for privileged users in enable mode who presumably know what they are doing.  The Adtran firewall when enabled has reverse port forwarding protection so a user behind the device will by default not be able to source packets from outside the network to which the device is connected.

This capability is very useful as a diagnostic tool in VPN and MPLS scenarios, as well as testing NAT traversal and firewalls. 

Search "BCP38" for more details on the issue.

View solution in original post

0 Kudos
2 Replies
jayh
Honored Contributor
Honored Contributor

Re: Sourced ICMP Ping Requests

Jump to solution

Probably not an oversight, the same thing can be done from any laptop by manually configuring any desired (or erroneous) IP and connecting it to a network.  It is up to the ISP or provider to prevent such packets from going out to the Internet.  The extended ping command is for privileged users in enable mode who presumably know what they are doing.  The Adtran firewall when enabled has reverse port forwarding protection so a user behind the device will by default not be able to source packets from outside the network to which the device is connected.

This capability is very useful as a diagnostic tool in VPN and MPLS scenarios, as well as testing NAT traversal and firewalls. 

Search "BCP38" for more details on the issue.

0 Kudos
Anonymous
Not applicable

Re: Sourced ICMP Ping Requests

Jump to solution

Hello,

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the

applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Regards,

Geoff