Bugtraq mailing list archives
Re: TCP/IP implementations do not adequately validate ICMP error messages
From: Peter Keel <security () cyberlink ch>
Date: Wed, 11 May 2005 14:39:59 +0200
Alok Menghrajani - Ilion Security SA wrote:
Hi, I was playing around with the ICMP error messages DOS attack (I found an exploit on securityfocus.org bid 13214), and I noticed the following work around: when I add the following rule to iptables, the linux server (Kernel 2.4.29-grsec) is no longer vulnerable to the DOS: iptables -I INPUT 1 -p icmp -j DROP I am interested in knowing if this work around makes any sense. Please keep me informed about this vulnerability.
It does not make sense. A few years ago somebody wrote an essay about that, titled "security zealots break the internet" (can't find it anymore, though). And that is what this does. RFC 1122 states: "A Destination Unreachable message that is received MUST be reported to the transport layer. The transport layer SHOULD use the information appropriately; for example, see Sections 4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol that has its own mechanism for notifying the sender that a port is unreachable (e.g., TCP, which sends RST segments) MUST nevertheless accept an ICMP Port Unreachable for the same purpose." The Problem: - Hosts trying to send you something will experience a 2 minute delay, which might lead to a DoS-attack against that host. We had that, some customers primary MX did it, his sendmail went down, and our secondary MX had hundreds of open connections. The other problem (fragmentation needed): - Some DSL-users have a lower MTU. You will block any request to fragment packets, so your host will be unreachable. Some idiots at internet-banks did that. This one is better: iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp --icmp-type port-unreachable -j ACCEPT iptables -A INPUT -p icmp -j DROP Regards Peter Keel -- Operator in charge of Security Tel +41 1 287 2993 Cyberlink Internet Services AG Fax +41 1 287 2991 Richard Wagnerstrasse 6 admin () cyberlink ch CH-8002 Zuerich http://www.cyberlink.ch
Current thread:
- TCP/IP implementations do not adequately validate ICMP error messages Alok Menghrajani - Ilion Security SA (May 10)
- Re: TCP/IP implementations do not adequately validate ICMP error messages Peter Keel (May 11)
- Re: TCP/IP implementations do not adequately validate ICMP error messages Maciej Soltysiak (May 11)
- Re: SPAM-HIGH: TCP/IP implementations do not adequately validate ICMP error messages David Nichols (May 11)
- RE: TCP/IP implementations do not adequately validate ICMP error messages David Schwartz (May 11)