Bugtraq mailing list archives

Re: TCP/IP implementations do not adequately validate ICMP error messages

From: Peter Keel <security () cyberlink ch>
Date: Wed, 11 May 2005 14:39:59 +0200

Alok Menghrajani - Ilion Security SA wrote:

Hi,

I was playing around with the ICMP error messages DOS attack (I found an
exploit on securityfocus.org bid 13214), and I noticed the following
work around:

when I add the following rule to iptables, the linux server (Kernel
2.4.29-grsec) is no longer vulnerable to the DOS:
iptables -I INPUT 1 -p icmp -j DROP

I am interested in knowing if this work around makes any sense. Please
keep me informed about this vulnerability.


It does not make sense. A few years ago somebody wrote an essay about
that, titled "security zealots break the internet" (can't find it
anymore, though). And that is what this does.

RFC 1122 states:
"A Destination Unreachable message that is received MUST be
 reported to the transport layer.  The transport layer SHOULD
 use the information appropriately; for example, see Sections
 4.1.3.3, 4.2.3.9, and 4.2.4 below.  A transport protocol
 that has its own mechanism for notifying the sender that a
 port is unreachable (e.g., TCP, which sends RST segments)
 MUST nevertheless accept an ICMP Port Unreachable for the
 same purpose."

The Problem:
- Hosts trying to send you something will experience a 2 minute delay,
which might lead to a DoS-attack against that host. We had that,
some customers primary MX did it, his sendmail went down, and our
secondary MX had hundreds of open connections.

The other problem (fragmentation needed):
- Some DSL-users have a lower MTU. You will block any request to
fragment packets, so your host will be unreachable. Some idiots
at internet-banks did that.

This one is better:
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type port-unreachable -j ACCEPT
iptables -A INPUT -p icmp -j DROP

Regards
Peter Keel
-- 
Operator in charge of Security        Tel +41 1 287 2993
Cyberlink Internet Services AG        Fax +41 1 287 2991
Richard Wagnerstrasse 6               admin () cyberlink ch
CH-8002 Zuerich                  http://www.cyberlink.ch

Current thread:

TCP/IP implementations do not adequately validate ICMP error messages Alok Menghrajani - Ilion Security SA (May 10)
- Re: TCP/IP implementations do not adequately validate ICMP error messages Peter Keel (May 11)
- Re: TCP/IP implementations do not adequately validate ICMP error messages Maciej Soltysiak (May 11)
- Re: SPAM-HIGH: TCP/IP implementations do not adequately validate ICMP error messages David Nichols (May 11)
- RE: TCP/IP implementations do not adequately validate ICMP error messages David Schwartz (May 11)