Re: ICMP pokes holes in firewalls...

• Previous message: security_at_sco.com: "UnixWare 7.1.3 UnixWare 7.1.1 Open UNIX 8.0.0 : Network device drivers reuse old frame buffer data to pad packets"
• In reply to: Darren Reed: "Re: ICMP pokes holes in firewalls..."
• Next in thread: Darren Reed: "Re: ICMP pokes holes in firewalls..."
• Reply: Darren Reed: "Re: ICMP pokes holes in firewalls..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 27 Sep 2003 02:19:14 +0200
To: Darren Reed <avalon@caligula.anu.edu.au>

On Fri, Sep 26, 2003 at 10:13:56AM +1000, Darren Reed wrote:

> There's also a general problem here, that needs attention and that
> is you really shouldn't allow more ICMP error packets through than
> you see normal connection packets. ie. one UDP packet out should
> not allow more than one ICMP error message back in.

Technically, a single packet may cause multiple legitimate ICMP errors.
As per RFC 792, an ICMP redirect does not imply that the packet was dropped
(quite the contrary) and ICMP source quench may be sent without dropping
the packet. Hence, further hops may send further ICMP errors for the
same packet.

Rate limiting the ICMP errors with a strict 1:1 ratio would break
traceroute through a gateway that forwards back to the same network, or
one operating near its capacity limit, for instance.

Since, as you explained, stateful filtering verifies the referred-to
packet's details (addresses, ports, sequence numbers for TCP), an
attacker trying to flood the filtered peer with ICMP errors would have
to know those details (be on the connection path). In that case,
obviously, he could just as well generate a flood of TCP/UDP packets
matching the state entry (or, worse, hijack or tear down the connection).
So, what do we gain by rate limiting the ICMP errors?

Daniel

• Previous message: security_at_sco.com: "UnixWare 7.1.3 UnixWare 7.1.1 Open UNIX 8.0.0 : Network device drivers reuse old frame buffer data to pad packets"
• In reply to: Darren Reed: "Re: ICMP pokes holes in firewalls..."
• Next in thread: Darren Reed: "Re: ICMP pokes holes in firewalls..."
• Reply: Darren Reed: "Re: ICMP pokes holes in firewalls..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [UNIX] Linux 2.0 Remote Info Leak from Too Big ICMP Citation ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Latest attack techniques. ... an ICMP citation for almost every ICMP errors. ... We can send an IP packet with the MF flag: ... (Securiteam) Re: [Full-Disclosure] Linux 2.0 remote info leak from too big icmp citation ... Looks like another way of triggering the bug, ... > ICMP citation for almost every ICMP errors. ... > Packet sent. ... > without explicit consent of Cartel Sécurité. ... (Full-Disclosure) Re: peer to peer messaging ... attempts to open a connection to port 80 of the server at that IP address. ... For example a packet from my machine might have source IP ... Packets from the sever to my laptop would have those reversed. ... (comp.lang.java.programmer) Re: IPFW Dynamic Rules ... > So if the dynamic rule has the same behaviour as the origination ... > rule on the same port with the same protocol, ... If client sends UDP query to DNS on your machine, you get the packet: ... is deleted after connection is inactive for some time. ... (FreeBSD-Security) [NEWS] Cisco PIX TCP Connection DoS ... Get your security news from a reliable source. ... By crafting a special TCP packet and sending it to a vulnerable Cisco PIX, ... embryonic connection open until the embryonic connection timeout which is ... (Securiteam)