lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 May 2005 10:20:55 -0400
From: David Nichols <dnichols@...i.com>
To: Alok Menghrajani - Ilion Security SA <alok@...onsecurity.ch>
Cc: bugtraq@...urityfocus.com
Subject: Re: SPAM-HIGH:  TCP/IP implementations do not adequately validate
 ICMP error messages


Hello Alok-

What you are doing is dropping all incoming icmp packets, including 
those that may be valid.  A much better way of dealing with the problem 
is rate limiting the packets so that they get through as long as they 
come in slow enough.  The idea is that a DOS will send you a large 
number of packets in a very short amount of time.  Those you can safely 
drop.

Here's a short example that creates two tables, one for incoming icmp 
(icmp_in) and one for outgoing icmp (icmp_out). 

icmp_in is called with the following line in the INPUT table:
    $IPTABLES -A INPUT -p ICMP -j icmp_in

icmp_out is called with the following line in the OUTPUT table:
    $IPTABLES -A OUTPUT -p icmp -j icmp_out

############################################
# filter.icmp_in chain
# Called from filter.input
#
# 1. Only accept 4 types based on their icmp-type
#    Type 0:  Echo Replies (allows response from Ping request by firewall)
#             State matched to prevent replies we didn't request.
#    Type 8:  Echo Request (allows LAN and Internet to Ping the 
firewall, rate
#             limited to prevent Ping o' Death attacks.
#    Type 3:  Destination Unreachable (All type codes)
#    Type 11: Time Exceeded: TTL = 0 in transit
#    Types 3 & 11 allowed so DNS proxy can receive errors contacting a 
server.
#

echo "icmp_in"

$IPTABLES -N icmp_in
$IPTABLES -A icmp_in -p ICMP --icmp-type 0 -m state \
                     --state ESTABLISHED -j ACCEPT
$IPTABLES -A icmp_in -i $LAN_IFACE -p ICMP --icmp-type 8 \
                     -m limit --limit 100/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -i $INET_IFACE -p ICMP --icmp-type 8 \
                     -m limit --limit 50/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP --icmp-type 3 -m limit \
                     --limit 25/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP --icmp-type 11 -m limit \
                     --limit 25/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP -j DROP


############################################
# filter.icmp_out chain
# Called from filter.output
#
# 1. Only output 4 types based on their icmp-type
#    Type 0:  Echo Replies (allows response from Ping request to firewall)
#             Incoming echo requests are rate limited in the icmp_in 
chain above.
#    Type 8:  Echo Request (allows basic connectivity check from firewall)
#    Type 3:  Destination Unreachable (All type codes)
#    Type 11: Time Exceeded: TTL = 0 in transit
#    Types 3 & 11 allowed so firewall can send out errors contacting 
internal DNS.

echo "icmp_out"

$IPTABLES -N icmp_out
$IPTABLES -A icmp_out -p ICMP --icmp-type 0 -m state \
                      --state ESTABLISHED -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 11 -j ACCEPT
$IPTABLES -A icmp_out -m limit --limit 3/minute --limit-burst 1 -j LOG \
                      --log-level DEBUG --log-prefix "Improper ICMP from 
FW: "
$IPTABLES -A icmp_out -p ICMP -j DROP

There's a great iptables tutorial on the web that explains rate limiting 
packets, along with everything else.  
http://iptables-tutorial.frozentux.net/

Hope this helped!

David Nichols


Alok Menghrajani - Ilion Security SA wrote:

> Hi,
>
> I was playing around with the ICMP error messages DOS attack (I found 
> an exploit on securityfocus.org bid 13214), and I noticed the 
> following work around:
>
> when I add the following rule to iptables, the linux server (Kernel 
> 2.4.29-grsec) is no longer vulnerable to the DOS:
> iptables -I INPUT 1 -p icmp -j DROP
>
> I am interested in knowing if this work around makes any sense. Please 
> keep me informed about this vulnerability.
>
> Thank you,
> Alok.
>

-- 
"The problem is that, when we begin to realize the potential goodness in ourselves, we often take our discovery much too seriously.  We might kill for goodness or die for goodness; we want it so badly. What is lacking is a sense of humor. Humor here does not mean telling jokes or being comical or criticizing others and laughing at them. A genuine sense of humor is having a light touch: not beating reality into the ground but appreciating reality with a light touch.  The basis of Shambhala vision is rediscovering that perfect and real sense of humor, that light touch of appreciation."
Shambhala - The Sacred Path of the Warrior



Powered by blists - more mailing lists