Bugtraq mailing list archives

Re: SPAM-HIGH: TCP/IP implementations do not adequately validate ICMP error messages

From: David Nichols <dnichols () amci com>
Date: Wed, 11 May 2005 10:20:55 -0400

Hello Alok-

What you are doing is dropping all incoming icmp packets, includingthose that may be valid. A much better way of dealing with the problemis rate limiting the packets so that they get through as long as theycome in slow enough. The idea is that a DOS will send you a largenumber of packets in a very short amount of time. Those you can safelydrop.

Here's a short example that creates two tables, one for incoming icmp(icmp_in) and one for outgoing icmp (icmp_out).

icmp_in is called with the following line in the INPUT table:
   $IPTABLES -A INPUT -p ICMP -j icmp_in

icmp_out is called with the following line in the OUTPUT table:
   $IPTABLES -A OUTPUT -p icmp -j icmp_out

############################################
# filter.icmp_in chain
# Called from filter.input
#
# 1. Only accept 4 types based on their icmp-type
#    Type 0:  Echo Replies (allows response from Ping request by firewall)
#             State matched to prevent replies we didn't request.

# Type 8: Echo Request (allows LAN and Internet to Ping thefirewall, rate

#             limited to prevent Ping o' Death attacks.
#    Type 3:  Destination Unreachable (All type codes)
#    Type 11: Time Exceeded: TTL = 0 in transit

# Types 3 & 11 allowed so DNS proxy can receive errors contacting aserver.

#

echo "icmp_in"

$IPTABLES -N icmp_in
$IPTABLES -A icmp_in -p ICMP --icmp-type 0 -m state \
                    --state ESTABLISHED -j ACCEPT
$IPTABLES -A icmp_in -i $LAN_IFACE -p ICMP --icmp-type 8 \
                    -m limit --limit 100/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -i $INET_IFACE -p ICMP --icmp-type 8 \
                    -m limit --limit 50/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP --icmp-type 3 -m limit \
                    --limit 25/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP --icmp-type 11 -m limit \
                    --limit 25/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP -j DROP


############################################
# filter.icmp_out chain
# Called from filter.output
#
# 1. Only output 4 types based on their icmp-type
#    Type 0:  Echo Replies (allows response from Ping request to firewall)

# Incoming echo requests are rate limited in the icmp_inchain above.

#    Type 8:  Echo Request (allows basic connectivity check from firewall)
#    Type 3:  Destination Unreachable (All type codes)
#    Type 11: Time Exceeded: TTL = 0 in transit

# Types 3 & 11 allowed so firewall can send out errors contactinginternal DNS.


echo "icmp_out"

$IPTABLES -N icmp_out
$IPTABLES -A icmp_out -p ICMP --icmp-type 0 -m state \
                     --state ESTABLISHED -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 11 -j ACCEPT
$IPTABLES -A icmp_out -m limit --limit 3/minute --limit-burst 1 -j LOG \

--log-level DEBUG --log-prefix "Improper ICMP fromFW: "

$IPTABLES -A icmp_out -p ICMP -j DROP

There's a great iptables tutorial on the web that explains rate limitingpackets, along with everything else.http://iptables-tutorial.frozentux.net/


Hope this helped!

David Nichols


Alok Menghrajani - Ilion Security SA wrote:

Hi,
I was playing around with the ICMP error messages DOS attack (I foundan exploit on securityfocus.org bid 13214), and I noticed thefollowing work around:
when I add the following rule to iptables, the linux server (Kernel2.4.29-grsec) is no longer vulnerable to the DOS:
iptables -I INPUT 1 -p icmp -j DROP
I am interested in knowing if this work around makes any sense. Pleasekeep me informed about this vulnerability.
Thank you,
Alok.


--
"The problem is that, when we begin to realize the potential goodness in ourselves, we often take our discovery much too 
seriously.  We might kill for goodness or die for goodness; we want it so badly. What is lacking is a sense of humor. Humor here 
does not mean telling jokes or being comical or criticizing others and laughing at them. A genuine sense of humor is having a 
light touch: not beating reality into the ground but appreciating reality with a light touch.  The basis of Shambhala vision is 
rediscovering that perfect and real sense of humor, that light touch of appreciation."
Shambhala - The Sacred Path of the Warrior

Current thread:

TCP/IP implementations do not adequately validate ICMP error messages Alok Menghrajani - Ilion Security SA (May 10)
- Re: TCP/IP implementations do not adequately validate ICMP error messages Peter Keel (May 11)
- Re: TCP/IP implementations do not adequately validate ICMP error messages Maciej Soltysiak (May 11)
- Re: SPAM-HIGH: TCP/IP implementations do not adequately validate ICMP error messages David Nichols (May 11)
- RE: TCP/IP implementations do not adequately validate ICMP error messages David Schwartz (May 11)