Re: TCP/IP implementations do not adequately validate ICMP error messages

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: TCP/IP implementations do not adequately validate ICMP error messages
From: Maciej Soltysiak <maciej@xxxxxxxxxxxxx>
Date: Wed, 11 May 2005 22:05:08 +0200
Cc: Alok Menghrajani - Ilion Security SA <alok@xxxxxxxxxxxxxxxx>
In-reply-to: <4280CA6D.20602@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <1115211050.27412.ezmlm@xxxxxxxxxxxxxxxxx> <4280CA6D.20602@xxxxxxxxxxxxxxxx>
Reply-to: Maciej Soltysiak <maciej@xxxxxxxxxxxxx>

Hello Alok,

Tuesday, May 10, 2005, 4:51:25 PM, you wrote:
> when I add the following rule to iptables, the linux server (Kernel
> 2.4.29-grsec) is no longer vulnerable to the DOS:
> iptables -I INPUT 1 -p icmp -j DROP
Um. Other way round:

1) setup a default drop policy

        # iptables -P INPUT DROP

2) accept only what you want

        # related and established traffic
        # iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

        # allow only type: echo request, code: 0 (proper rfc ping)
        # iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT

        # other rules
        
> I am interested in knowing if this work around makes any sense. Please
> keep me informed about this vulnerability.
Unless you are accepting stateful RELATED ICMP traffic, you are propably fine,
but are just missing rules to allow PING, which is a RFC MUST AFAIR.

If not, you are doing a very bad thing. ICMP is really required for
error reporting. You really, really do not want to miss out on these,
as it may get you to problems like:
- being unable to detect a need for fragmentation
- being unable to receive dest.unreach. icmps which will cause delays
and timeouts.

Blocking all icmp by ISPs is called being criminally brain-dead
in a help message of the TCPMSS module for iptables in the kernel source :-)

-- 
Best regards,
Maciej

References:
- TCP/IP implementations do not adequately validate ICMP error messages
  - From: Alok Menghrajani - Ilion Security SA

Prev by Date: Commonly used disk imaging and wiping tools can be tricked to miss parts of a disk
Next by Date: Guesbook Pro XSS & HTML Injection
Previous by thread: Re: TCP/IP implementations do not adequately validate ICMP error messages
Next by thread: Re: SPAM-HIGH: TCP/IP implementations do not adequately validate ICMP error messages
Index(es):
- Date
- Thread