Bugtraq mailing list archives
Re: Router programming,source routes and spoofed ICMP attacks.
From: fitz () draco mv com (Tom Fitzgerald)
Date: Fri, 21 Jun 1996 01:45:30 -0400
2: If you run a vulnerable machine (IRC or other chat server), consider blocking icmp from outside your network from being passed through if it's destined for that server.I noticed a bit of this weirdness being reported by gated the other day. Does anyone know how to block it at the gated level, or is it automatically done because it isn't on the local network?
Gated was probably complaining about route-redirects, which are one (rare) form of bomb. Gated can't block them but it will remove the redirected routes as soon as it notices them, so you may get a hiccup in availability but no lost connections. ICMP bombs made of host-unreachables and port-unreachables are more common - gated won't see them and on some platforms they'll cause a disconnect. The fix for redirect bombs is to do standard spoof-filtering: block all packets coming into your site that have a source-address within your site. Your TCP stack should also make sure that the source of a redirect is the original next-hop for the specified route (BSD 4.4 does this but I don't know how common it is). Responding to the original poster.... people should NOT block ICMPs to systems that don't let unreachables disconnect a connection that's in ESTABLISHED state. These systems are immune to bombs, and blocking all ICMPs has bad side-effects like making e-mail delivery attempts take much longer. Fixing the TCP stack is the real solution; filtering ICMPs is a crude hack to get around a broken TCP. -- Tom Fitzgerald fitz () draco mv com
Current thread:
- Re: Router programming,source routes and spoofed ICMP attacks. Bill Hogan (Jun 20)
- <Possible follow-ups>
- Re: Router programming,source routes and spoofed ICMP attacks. Tom Fitzgerald (Jun 20)
- Re: Router programming,source routes and spoofed ICMP attacks. Jeff Uphoff (Jun 21)
- Re: Router programming,source routes and spoofed ICMP attacks. Alan Brown (Jun 24)
- Re: Router programming,source routes and spoofed ICMP attacks. Chris Johnson (Jun 24)