Re: Survive without ICMP?

From: Maxime Ducharme (mducharme_at_cybergeneration.com)
Date: 05/20/04


Date: Thu, 20 May 2004 15:24:29 GMT


Thanks for your comments, I also agree with the point that we
are all learning and sharing information is a good thing :)

But I still do not understand "icmp data arrive through port 0 "

ICMP resides above IP protocol, and beside TCP & UDP.

ICMP means Internet Control Message Protocol, and isnt
used to exchange data, it is used to help hosts to know what
is happening.

Some way you may see ICMP get out of your box when
it receives a UDP or TCP packet on port 0 would be packets
ICMP Type 3 Code 3 (Port unreachable).

ex:
TCP foreignhost -> yourbox:0 (connect to port 0)
ICMP yourbox -> foreignhost (port is unreachable)

This would be normal behavior for a TCP/IP stack.

Another way that port was used is to set source port to
0 and send this packet to an opened port of a server
to determine its OS with its TCP/IP stack behavior.
ex:

TCP foreignhost:0 -> awebserver:80 (opened port)
TCP awebserver:80 -> foreignhost:1025 (the stack changed source port to
1025)

this article :
http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
doesnt talk about ICMP, it talks about TCP flags combinations
to determine OS via its TCP/IP stack behavior.

It does talk about port 0 neither.

This article :
http://www.robertgraham.com/pubs/firewall-seen.html#2
indiquates

"Some firewalls (inaccurately) label ICMP fields as "ports". ICMP has no
ports like TCP or UDP, but it does have two fields called "type" and
"code"."

It gives an example about what I just explained, an ICMP reponse
is usually returned to the foreign host when there is a problem
(like host unreachable, port unreachable, protocol unreachable, ..,.)
with asked port. But this port can be anything between 0 and 65535.

I suggest more readings :
http://www.ietf.org/rfc/rfc1122.txt section 3.2.2
http://www.robertgraham.com/pubs/hacking-dict.html#icmp
http://www.thinkingsecure.com/docs/TCPIP-Illustrated-1/icmp_int.htm
http://www.citap.com/documents/tcp-ip/tcpip012.htm

And this one explains how to configure a linux firewall what to do
when it receives a TCP packet to a forbidden port which may
help to understand :
http://logi.cc/linux/reject_or_deny.html

We can either :
- Drop the packet (no answer to foreign)
- Send a TCP packet with RST flag to foreign
   (means "my port is closed")
- Send an ICMP message with the correct type & code
   saying "port is unreachable"

Hope this help again

Have a nice day

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

"Purl Gurl" <purlgurl@purlgurl.net> wrote in message
news:40ACC01E.4E1AEF30@purlgurl.net...
> Maxime Ducharme wrote:
>
> > Purl Gurl wrote:
> > > Alan Illeman wrote:
>
> (snipped)
>
> > > > Can I survive if I block all ICMP requests?
>
> > ICMP does not include any ports.
>
> > http://www.iana.org/assignments/icmp-parameters
>
> > http://www.networkpenetration.com/port0.html
>
> Thank you, Maxime, for additional information.
> This benefits all readers. Like you, I encourage
> readers to follow those links and other links,
> to research, read and learn, keeping in mind
> each author will present his specific viewpoint.
> A variety of research sources will provide a
> much better generalized notion, and clarity.
>
> You will note in my articles I make a distinction
> between port zero and icmp packets. You will also
> discover I indicate historical hacks for icmp data
> arrive through port 0 which is well documented.
>
> You will discover by writing your own custom program
> there are a minimum of three responses through port 0
> which are icmp responses, types 13, 14 and 17.
>
> Perhaps it is each operating system handles port 0
> requests differently, leading to a default action
> which returns icmp responses. It is documented there
> is wide variation how each system, and each system
> version, handles port 0 inquiries, bidirectional.
>
> Unfortunately, none of us are experts are each and
> every system type out there.
>
> Your links provide additional information so readers
> can become better informed about this clouded issue.
>
> Standard issue advice is to close port 0 to all
> connections, and deny only selected icmp types.
> My previous articles add some information, albeit
> limited, why closing port 0 is preferred over
> denial of all icmp packets. Some system issues
> may come about thus my suggestion to test and
> note results.
>
> Readers will benefit by engaging in a detailed
> highly technical study of this, but expect to
> encounter some lack of clarity; there are many
> valid points of view on this.
>
>
> Purl Gurl



Relevant Pages

  • Re: Firewalls: whats the use?
    ... >> control the types of ICMP message sent and received. ... Do I really need to implement a firewall just to prevent ICMP? ... packet to crash the OS. ... especially in cases where the packet was destined to a port where no ...
    (comp.os.linux.security)
  • Re: Re: ICMP attacks
    ... > generates an ICMP "port unreachable" message for every port that does ... > To prevent you from generic ICMP based attacks that try to eat up your ... > a kernel hacker. ... following sysctl options so when a UDP or TCP packet is sent to a closed port ...
    (FreeBSD-Security)
  • Re: comp.lang.asm.x86 Is Undergoing Testing
    ... six-digit IP address, 65536 different port numbers). ... If anyone can explain ICMP, which operates upon the first four digits ... I still use it sometimes to watch all packet when there are some ... it's not written in NASM syntax (did NASM exist ...
    (alt.lang.asm)
  • Re: Am I being hacked?
    ... >The Traffic Log shows that I have received a TCP packet on port 1103 from an ... >because I have made a rule to not allow ICMP echo in or out. ... >Is this incoming TCP packet waking up a hidden Trojan? ... Which port? ...
    (comp.security.firewalls)
  • Re: ipfw-ntad-jail
    ... > Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box, ... > host (dagobah) ... > allow ftp (port 21) ... > add 00600 allow icmp from any to any icmptypes 3 ...
    (FreeBSD-Security)