[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <428214C7.8020702@amci.com>
Date: Wed, 11 May 2005 10:20:55 -0400
From: David Nichols <dnichols@...i.com>
To: Alok Menghrajani - Ilion Security SA <alok@...onsecurity.ch>
Cc: bugtraq@...urityfocus.com
Subject: Re: SPAM-HIGH: TCP/IP implementations do not adequately validate
ICMP error messages
Hello Alok-
What you are doing is dropping all incoming icmp packets, including
those that may be valid. A much better way of dealing with the problem
is rate limiting the packets so that they get through as long as they
come in slow enough. The idea is that a DOS will send you a large
number of packets in a very short amount of time. Those you can safely
drop.
Here's a short example that creates two tables, one for incoming icmp
(icmp_in) and one for outgoing icmp (icmp_out).
icmp_in is called with the following line in the INPUT table:
$IPTABLES -A INPUT -p ICMP -j icmp_in
icmp_out is called with the following line in the OUTPUT table:
$IPTABLES -A OUTPUT -p icmp -j icmp_out
############################################
# filter.icmp_in chain
# Called from filter.input
#
# 1. Only accept 4 types based on their icmp-type
# Type 0: Echo Replies (allows response from Ping request by firewall)
# State matched to prevent replies we didn't request.
# Type 8: Echo Request (allows LAN and Internet to Ping the
firewall, rate
# limited to prevent Ping o' Death attacks.
# Type 3: Destination Unreachable (All type codes)
# Type 11: Time Exceeded: TTL = 0 in transit
# Types 3 & 11 allowed so DNS proxy can receive errors contacting a
server.
#
echo "icmp_in"
$IPTABLES -N icmp_in
$IPTABLES -A icmp_in -p ICMP --icmp-type 0 -m state \
--state ESTABLISHED -j ACCEPT
$IPTABLES -A icmp_in -i $LAN_IFACE -p ICMP --icmp-type 8 \
-m limit --limit 100/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -i $INET_IFACE -p ICMP --icmp-type 8 \
-m limit --limit 50/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP --icmp-type 3 -m limit \
--limit 25/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP --icmp-type 11 -m limit \
--limit 25/second --limit-burst 5 -j ACCEPT
$IPTABLES -A icmp_in -p ICMP -j DROP
############################################
# filter.icmp_out chain
# Called from filter.output
#
# 1. Only output 4 types based on their icmp-type
# Type 0: Echo Replies (allows response from Ping request to firewall)
# Incoming echo requests are rate limited in the icmp_in
chain above.
# Type 8: Echo Request (allows basic connectivity check from firewall)
# Type 3: Destination Unreachable (All type codes)
# Type 11: Time Exceeded: TTL = 0 in transit
# Types 3 & 11 allowed so firewall can send out errors contacting
internal DNS.
echo "icmp_out"
$IPTABLES -N icmp_out
$IPTABLES -A icmp_out -p ICMP --icmp-type 0 -m state \
--state ESTABLISHED -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_out -p ICMP --icmp-type 11 -j ACCEPT
$IPTABLES -A icmp_out -m limit --limit 3/minute --limit-burst 1 -j LOG \
--log-level DEBUG --log-prefix "Improper ICMP from
FW: "
$IPTABLES -A icmp_out -p ICMP -j DROP
There's a great iptables tutorial on the web that explains rate limiting
packets, along with everything else.
http://iptables-tutorial.frozentux.net/
Hope this helped!
David Nichols
Alok Menghrajani - Ilion Security SA wrote:
> Hi,
>
> I was playing around with the ICMP error messages DOS attack (I found
> an exploit on securityfocus.org bid 13214), and I noticed the
> following work around:
>
> when I add the following rule to iptables, the linux server (Kernel
> 2.4.29-grsec) is no longer vulnerable to the DOS:
> iptables -I INPUT 1 -p icmp -j DROP
>
> I am interested in knowing if this work around makes any sense. Please
> keep me informed about this vulnerability.
>
> Thank you,
> Alok.
>
--
"The problem is that, when we begin to realize the potential goodness in ourselves, we often take our discovery much too seriously. We might kill for goodness or die for goodness; we want it so badly. What is lacking is a sense of humor. Humor here does not mean telling jokes or being comical or criticizing others and laughing at them. A genuine sense of humor is having a light touch: not beating reality into the ground but appreciating reality with a light touch. The basis of Shambhala vision is rediscovering that perfect and real sense of humor, that light touch of appreciation."
Shambhala - The Sacred Path of the Warrior
Powered by blists - more mailing lists