Re: how to disable ICMP: "Echo Request" (ping)

From: Greg Metcalfe (metcalfegregdelete_at_qwest.net)
Date: 07/24/05


Date: Sat, 23 Jul 2005 15:03:36 -0700

Moe Trin wrote:

> In the Usenet newsgroup comp.os.linux.security, in article
> <Hk1Ee.102$CS2.16463@news.uswest.net>, Greg Metcalfe wrote:
>
>>What you're trying to avoid is called a Path MTU Discovery Black Hole. You
>>can find out quite a bit about it with a quick google. I know there was a
>>good paper on it from a Usenix LISA conference a couple or three years
>>ago.
>
> 1191 Path MTU discovery. J.C. Mogul, S.E. Deering. Nov-01-1990.
> (Format: TXT=47936 bytes) (Obsoletes RFC1063) (Status: DRAFT
> STANDARD)
>
> 1435 IESG Advice from Experience with Path MTU Discovery. S. Knowles.
> March 1993. (Format: TXT=2708 bytes) (Status: INFORMATIONAL)
>
> 2923 TCP Problems with Path MTU Discovery. K. Lahey. September 2000.
> (Format: TXT=30976 bytes) (Status: INFORMATIONAL)
>
>>Basically, you should be allow ICMP type 3 code 4. These packets are safe.
>
> You may want to look at the Bugtraq mailing list for the past couple of
> days. There is "a discussion" of a denial of service attack relating to
> this. If you don't want to subscribe, grab a list of news groups from
> your news server and look for the word bugtraq - there are several groups
> that mirror the lists, such as mailing.unix.bugtraq or muc.lists.bugtraq.
>
>>Pretty much nothing else in ICMP is.
>
> I don't know if I'd go quite that far.
>
> Old guy
Thanks for the bugtraq references. I haven't been by there in a few days. A
couple of ICMP references from SANS (first two are the ones I was thinking
of a couple of days ago):

The LISA paper
http://www.usenix.org/events/lisa02/tech/full_papers/vanderberg/vanderberg_html/

Descriptions of many ICMP attacks, by type:code
http://www.giac.org/practical/gsec/Lindsay_Eden_GSEC.pdf

Another good reference to ICMP to Bad Things that can be done via ICMP. I
would argue that some of the items here can useful, though. The old
argument of any tool may be used for god or ill.
http://www.sans.org/resources/idfaq/icmp_misuse.php



Relevant Pages

  • Re: 0.0.0.0/8 oddities...
    ... applied to ICMP which is inconsistent as you've found out. ... Reading this section and RFC1122 it is not entirely clear to me ... As such it doesn't work on most systems (Linux, network appliance vendors included) so this working *should* be a bug, IMO. ... including the one you referenced where it references the other addresses can only be used as a source address. ...
    (freebsd-net)
  • Re: FreeBSD DDoS protection
    ... Please do not drop all ICMP unless you understand what you are doing. ... doing that you are creating a path MTU discovery blackhole. ... Janne Snabb / EPIPE Communications ...
    (FreeBSD-Security)
  • Re: FreeBSD DDoS protection
    ... Please do not drop all ICMP unless you understand what you are doing. ... doing that you are creating a path MTU discovery blackhole. ... Janne Snabb / EPIPE Communications ...
    (freebsd-isp)
  • Re: FreeBSD DDoS protection
    ... ICMP is a required part of the TCP/IP suite. ... It breaks Path MTU discovery, leading to oddball issues where some sites ...
    (FreeBSD-Security)
  • Re: Restarting ADSL Connection Problem
    ... leave things like MSS alone, reducing only the MTU/MRU to allow for ... Pass the ICMP NACKs we might get so that the MSS can be dynamically ... > # Pass in ICMP UNREACHABLE NACKs for PATH MTU Discovery ...
    (comp.unix.bsd.openbsd.misc)