Re: ICMP Security Vulnerabilities - NEW (cough)

["Eric Paynter" <eric () arcticbears com>]

On Tue, July 12, 2005 2:42 pm, Vic Vandal said:
> 3)
[...]
>   I will acknowledge that the first "widely published" discussion
>   on the exact topic of ICMP filtering was "probably" in the 1995
>   release of "Building Internet Firewalls" (by Chapman and Zwicky).
>   I had the book in my desk back then, but left it behind when I
>   left the organization that paid for it.  IF I still had it, I'd
>   gladly quote it directly to verify the exact verbiage/discussion
>   of the topic therein.

I just happen to have "Building Internet Firewalls" on my desk, 2nd
Edition published in 2000, I guess updated since your version. Although
there is a whole chapter on ICMP filtering, the basic advice for source
quench is to allow it, so this particular source still didn't know about
the problems in 2000. The only relevant quotes I could find were in
Chapter 22:

"The other ICMP message types you probably want to allow, both inbound and
outbound, are 'source quench' (used by a receiver to tell a sender to
'slow down' because it's sending data too fast) and 'parameter
problem'..." p 652

"In general, you want to allow ICMP outbound only when it has the chance
of doing you some good. Both 'source quench' and 'parameter problem' are
used to get the sending host to be nicer to you and are worth allowing
outbound." p 653

And in a summary table for ICMP, under "Permit/Deny", next to "Message
Type 4",  it says "Should usually be allowed in both directions." p 654

-Eric

--
arctic bears - email and dns services
http://www.arcticbears.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/