lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 May 2005 14:39:59 +0200
From: Peter Keel <>
To: Alok Menghrajani - Ilion Security SA <>
Subject: Re: TCP/IP implementations do not adequately validate ICMP error

Alok Menghrajani - Ilion Security SA wrote:
> Hi,
> I was playing around with the ICMP error messages DOS attack (I found an
> exploit on bid 13214), and I noticed the following
> work around:
> when I add the following rule to iptables, the linux server (Kernel
> 2.4.29-grsec) is no longer vulnerable to the DOS:
> iptables -I INPUT 1 -p icmp -j DROP
> I am interested in knowing if this work around makes any sense. Please
> keep me informed about this vulnerability.

It does not make sense. A few years ago somebody wrote an essay about
that, titled "security zealots break the internet" (can't find it
anymore, though). And that is what this does.

RFC 1122 states:
"A Destination Unreachable message that is received MUST be
 reported to the transport layer.  The transport layer SHOULD
 use the information appropriately; for example, see Sections,, and 4.2.4 below.  A transport protocol
 that has its own mechanism for notifying the sender that a
 port is unreachable (e.g., TCP, which sends RST segments)
 MUST nevertheless accept an ICMP Port Unreachable for the
 same purpose."

The Problem:
- Hosts trying to send you something will experience a 2 minute delay,
which might lead to a DoS-attack against that host. We had that,
some customers primary MX did it, his sendmail went down, and our
secondary MX had hundreds of open connections.

The other problem (fragmentation needed):
- Some DSL-users have a lower MTU. You will block any request to
fragment packets, so your host will be unreachable. Some idiots
at internet-banks did that.

This one is better:
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type port-unreachable -j ACCEPT
iptables -A INPUT -p icmp -j DROP

Peter Keel
Operator in charge of Security        Tel +41 1 287 2993
Cyberlink Internet Services AG        Fax +41 1 287 2991
Richard Wagnerstrasse 6     
CH-8002 Zuerich        

Powered by blists - more mailing lists