[38807] in bugtraq
Re: TCP/IP implementations do not adequately validate ICMP error messages
daemon@ATHENA.MIT.EDU (Maciej Soltysiak)
Wed May 11 18:49:39 2005
X-QSS-TOXIC-Mail-From: maciej@soltysiak.com via dns
Date: Wed, 11 May 2005 22:05:08 +0200
From: Maciej Soltysiak <maciej@soltysiak.com>
Reply-To: Maciej Soltysiak <maciej@soltysiak.com>
Message-ID: <921768889.20050511220508@soltysiak.com>
To: bugtraq@securityfocus.com
Cc: Alok Menghrajani - Ilion Security SA <alok@ilionsecurity.ch>
In-Reply-To: <4280CA6D.20602@ilionsecurity.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hello Alok,
Tuesday, May 10, 2005, 4:51:25 PM, you wrote:
> when I add the following rule to iptables, the linux server (Kernel
> 2.4.29-grsec) is no longer vulnerable to the DOS:
> iptables -I INPUT 1 -p icmp -j DROP
Um. Other way round:
1) setup a default drop policy
# iptables -P INPUT DROP
2) accept only what you want
# related and established traffic
# iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
# allow only type: echo request, code: 0 (proper rfc ping)
# iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
# other rules
> I am interested in knowing if this work around makes any sense. Please
> keep me informed about this vulnerability.
Unless you are accepting stateful RELATED ICMP traffic, you are propably fine,
but are just missing rules to allow PING, which is a RFC MUST AFAIR.
If not, you are doing a very bad thing. ICMP is really required for
error reporting. You really, really do not want to miss out on these,
as it may get you to problems like:
- being unable to detect a need for fragmentation
- being unable to receive dest.unreach. icmps which will cause delays
and timeouts.
Blocking all icmp by ISPs is called being criminally brain-dead
in a help message of the TCPMSS module for iptables in the kernel source :-)
--
Best regards,
Maciej
