[2767] in bugtraq
Re: Router programming,source routes and spoofed ICMP attacks.
daemon@ATHENA.MIT.EDU (Tom Fitzgerald)
Fri Jun 21 03:26:31 1996
Date: Fri, 21 Jun 1996 01:45:30 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Tom Fitzgerald <fitz@draco.mv.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199606201903.NAA00623@slack.xmission.com> from "Pete Ashdown" at
Jun 20, 96 01:03:32 pm
> >2: If you run a vulnerable machine (IRC or other chat server), consider
> > blocking icmp from outside your network from being passed through if
> > it's destined for that server.
>
> I noticed a bit of this weirdness being reported by gated the other day.
> Does anyone know how to block it at the gated level, or is it
> automatically done because it isn't on the local network?
Gated was probably complaining about route-redirects, which are one (rare)
form of bomb. Gated can't block them but it will remove the redirected
routes as soon as it notices them, so you may get a hiccup in availability
but no lost connections. ICMP bombs made of host-unreachables and
port-unreachables are more common - gated won't see them and on some
platforms they'll cause a disconnect.
The fix for redirect bombs is to do standard spoof-filtering: block all
packets coming into your site that have a source-address within your site.
Your TCP stack should also make sure that the source of a redirect is the
original next-hop for the specified route (BSD 4.4 does this but I don't
know how common it is).
Responding to the original poster.... people should NOT block ICMPs to
systems that don't let unreachables disconnect a connection that's in
ESTABLISHED state. These systems are immune to bombs, and blocking all
ICMPs has bad side-effects like making e-mail delivery attempts take much
longer. Fixing the TCP stack is the real solution; filtering ICMPs is a
crude hack to get around a broken TCP.
--
Tom Fitzgerald fitz@draco.mv.com
