Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SPAM-HIGH: TCP/IP implementations do not adequately validate ICMP error messages
From: David Nichols <dnichols () amci com>
Date: Wed, 11 May 2005 10:20:55 -0400

Hello Alok-

What you are doing is dropping all incoming icmp packets, including those that may be valid. A much better way of dealing with the problem is rate limiting the packets so that they get through as long as they come in slow enough. The idea is that a DOS will send you a large number of packets in a very short amount of time. Those you can safely drop.

Here's a short example that creates two tables, one for incoming icmp (icmp_in) and one for outgoing icmp (icmp_out).
icmp_in is called with the following line in the INPUT table:
   $IPTABLES -A INPUT -p ICMP -j icmp_in

icmp_out is called with the following line in the OUTPUT table:
   $IPTABLES -A OUTPUT -p icmp -j icmp_out

############################################
# filter.icmp_in chain
# Called from filter.input
#
# 1. Only accept 4 types based on their icmp-type
#    Type 0:  Echo Replies (allows response from Ping request by firewall)
#             State matched to prevent replies we didn't request.
# Type 8: Echo Request (allows LAN and Internet to Ping the firewall, rate
#             limited to prevent Ping o' Death attacks.
#    Type 3:  Destination Unreachable (All type codes)
#    Type 11: Time Exceeded: TTL = 0 in transit
# Types 3 & 11 allowed so DNS proxy can receive errors contacting a server.
#

echo "icmp_in"

$IPTABLES -N icmp_in
$IPTABLES -A icmp_in -p ICMP --icmp-type 0 -m state \
                    --state ESTABLISHED -j ACCEPT
$IPTABLES -A icmp_in -i $LAN_IFACE -p ICMP --icmp-type 8 \
                    -m limit --limit 100/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -i $INET_IFACE -p ICMP --icmp-type 8 \
                    -m limit --limit 50/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP --icmp-type 3 -m limit \
                    --limit 25/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP --icmp-type 11 -m limit \
                    --limit 25/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP -j DROP


############################################
# filter.icmp_out chain
# Called from filter.output
#
# 1. Only output 4 types based on their icmp-type
#    Type 0:  Echo Replies (allows response from Ping request to firewall)
# Incoming echo requests are rate limited in the icmp_in chain above.
#    Type 8:  Echo Request (allows basic connectivity check from firewall)
#    Type 3:  Destination Unreachable (All type codes)
#    Type 11: Time Exceeded: TTL = 0 in transit
# Types 3 & 11 allowed so firewall can send out errors contacting internal DNS.

echo "icmp_out"

$IPTABLES -N icmp_out
$IPTABLES -A icmp_out -p ICMP --icmp-type 0 -m state \
                     --state ESTABLISHED -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 11 -j ACCEPT
$IPTABLES -A icmp_out -m limit --limit 3/minute --limit-burst 1 -j LOG \
--log-level DEBUG --log-prefix "Improper ICMP from FW: "
$IPTABLES -A icmp_out -p ICMP -j DROP

There's a great iptables tutorial on the web that explains rate limiting packets, along with everything else. http://iptables-tutorial.frozentux.net/

Hope this helped!

David Nichols


Alok Menghrajani - Ilion Security SA wrote:

Hi,

I was playing around with the ICMP error messages DOS attack (I found an exploit on securityfocus.org bid 13214), and I noticed the following work around:

when I add the following rule to iptables, the linux server (Kernel 2.4.29-grsec) is no longer vulnerable to the DOS:
iptables -I INPUT 1 -p icmp -j DROP

I am interested in knowing if this work around makes any sense. Please keep me informed about this vulnerability.

Thank you,
Alok.


--
"The problem is that, when we begin to realize the potential goodness in ourselves, we often take our discovery much too 
seriously.  We might kill for goodness or die for goodness; we want it so badly. What is lacking is a sense of humor. Humor here 
does not mean telling jokes or being comical or criticizing others and laughing at them. A genuine sense of humor is having a 
light touch: not beating reality into the ground but appreciating reality with a light touch.  The basis of Shambhala vision is 
rediscovering that perfect and real sense of humor, that light touch of appreciation."
Shambhala - The Sacred Path of the Warrior


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault