<<< Date Index >>>     <<< Thread Index >>>

Re: TCP/IP implementations do not adequately validate ICMP error messages



Alok Menghrajani - Ilion Security SA wrote:
> Hi,
> 
> I was playing around with the ICMP error messages DOS attack (I found an
> exploit on securityfocus.org bid 13214), and I noticed the following
> work around:
> 
> when I add the following rule to iptables, the linux server (Kernel
> 2.4.29-grsec) is no longer vulnerable to the DOS:
> iptables -I INPUT 1 -p icmp -j DROP
> 
> I am interested in knowing if this work around makes any sense. Please
> keep me informed about this vulnerability.

It does not make sense. A few years ago somebody wrote an essay about
that, titled "security zealots break the internet" (can't find it
anymore, though). And that is what this does.

RFC 1122 states:
"A Destination Unreachable message that is received MUST be
 reported to the transport layer.  The transport layer SHOULD
 use the information appropriately; for example, see Sections
 4.1.3.3, 4.2.3.9, and 4.2.4 below.  A transport protocol
 that has its own mechanism for notifying the sender that a
 port is unreachable (e.g., TCP, which sends RST segments)
 MUST nevertheless accept an ICMP Port Unreachable for the
 same purpose."

The Problem:
- Hosts trying to send you something will experience a 2 minute delay,
which might lead to a DoS-attack against that host. We had that,
some customers primary MX did it, his sendmail went down, and our
secondary MX had hundreds of open connections.

The other problem (fragmentation needed):
- Some DSL-users have a lower MTU. You will block any request to
fragment packets, so your host will be unreachable. Some idiots
at internet-banks did that.

This one is better:
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type port-unreachable -j ACCEPT
iptables -A INPUT -p icmp -j DROP

Regards
Peter Keel
-- 
Operator in charge of Security        Tel +41 1 287 2993
Cyberlink Internet Services AG        Fax +41 1 287 2991
Richard Wagnerstrasse 6               admin@xxxxxxxxxxxx
CH-8002 Zuerich                  http://www.cyberlink.ch