Re: Router programming,source routes and spoofed ICMP attacks.

[fitz () draco mv com (Tom Fitzgerald)]

> > 2: If you run a vulnerable machine (IRC or other chat server), consider
> >   blocking icmp from outside your network from being passed through if
> >   it's destined for that server.
>
> I noticed a bit of this weirdness being reported by gated the other day.
> Does anyone know how to block it at the gated level, or is it
> automatically done because it isn't on the local network?

Gated was probably complaining about route-redirects, which are one (rare)
form of bomb.  Gated can't block them but it will remove the redirected
routes as soon as it notices them, so you may get a hiccup in availability
but no lost connections.  ICMP bombs made of host-unreachables and
port-unreachables are more common - gated won't see them and on some
platforms they'll cause a disconnect.

The fix for redirect bombs is to do standard spoof-filtering: block all
packets coming into your site that have a source-address within your site.
Your TCP stack should also make sure that the source of a redirect is the
original next-hop for the specified route (BSD 4.4 does this but I don't
know how common it is).

Responding to the original poster....  people should NOT block ICMPs to
systems that don't let unreachables disconnect a connection that's in
ESTABLISHED state.  These systems are immune to bombs, and blocking all
ICMPs has bad side-effects like making e-mail delivery attempts take much
longer.  Fixing the TCP stack is the real solution; filtering ICMPs is a
crude hack to get around a broken TCP.

--
Tom Fitzgerald    fitz () draco mv com