Firewall Wizards mailing list archives

Re: Odp: icmp scans

From: Gigi Sullivan <sullivan () seclab com>
Date: Fri, 13 Nov 1998 14:02:09 +0100 (CET)


Hello:)

On Thu, 12 Nov 1998, Bob Acosta wrote:

Date: Thu, 12 Nov 1998 12:38:14 -0500
From: Bob Acosta <acostar () allied-chas com>
To: Gigi Sullivan <sullivan () seclab com>,

     Chris Kostick <christopher.t.kostick () cpmx saic com>

Cc: Pawel Maciejewski <laban () op onet pl>,

     Neil Ratzlaff <Neil.Ratzlaff () ucop edu>, firewall-wizards () nfr net,
     fw-1-mailinglist () lists us checkpoint com

Subject: Re: Odp: icmp scans

True ip could be construed as unreliable (more like unsecure), and yes
applications level programming could help make it safer (how many
programmers are concerned about security - more interested in functionality
and getting it on the shelf).  Out of curiosity, why has there been no


Right.

pseudo application proxy for icmp.  One that checks the data portion of the


Well, It won'be hard to develope such app.
Just FYI, always route|daemon9 had developed another project called Pingd.
(www.infonexus.com/~daemon9/Projects)
He swap the icmp (only ECHO|ECHOREPLY) from kernel land to userland w/ a
little kernel 2.0.x patch.

It's possible to modify this Project to add more functionality, e.g. the
data portion check to see if something is wrong.
His idea is simple but usefull IMHO, since you can be able to use ICMP,
w/o be too afraid.

As I said it's possible to "emebed" everything you want in the data
portion of every protocol.
This is the "common" way to fool some packet filter firewall (that leaves
open the 53 UDP port for DNS stuff i.e.)
AFAIK Raptor (a proxy gw firewall) can perform Application Data Scanning.

packets for non-standard strings.  It was my impression that the data
portion of the packet was used primarily for feeding back routing info,
timestamps/delays and such.  Has anybody from TIS looked into this, or is
the issue too complex.  My stance is to refuse all icmp, however many sites
refuse to turn it off.  They indicate it is either needed for
troubleshooting reasons (ok - but then turn it off), or for monitoring
purposes (are my remote systems still up?), and for some unknown reason even
some applications require a pre-icmp before permitting a connection (would
like to know why).  Also, I am concerned with the way icmp has a direct line
from layer 3 to the kernel of some, maybe most systems (if I am correct).


Bye bye
Have a nice day and ... I apologize for my bad english ;)



                        -- gg sullivan

--
Lorenzo Cavallaro
Intesis SECURITY LAB            Phone: +39-02-671563.1
Via Settembrini, 35             Fax: +39-02-66981953
I-20124 Milano  ITALY           Email: sullivan () seclab com

Current thread:

Odp: icmp scans Pawel Maciejewski (Nov 11)
- Re: Odp: icmp scans Gigi Sullivan (Nov 11)
- <Possible follow-ups>
- Re: Odp: icmp scans Chris Kostick (Nov 11)
  - Re: Odp: icmp scans Salvatore Sanfilippo (Nov 12)
  - Re: Odp: icmp scans Gigi Sullivan (Nov 12)
- Re: Odp: icmp scans Bob Acosta (Nov 12)
  - Re: Odp: icmp scans Gigi Sullivan (Nov 13)