Bugtraq mailing list archives
Re: TCP/IP implementations do not adequately validate ICMP error messages
From: Maciej Soltysiak <maciej () soltysiak com>
Date: Wed, 11 May 2005 22:05:08 +0200
Hello Alok, Tuesday, May 10, 2005, 4:51:25 PM, you wrote:
when I add the following rule to iptables, the linux server (Kernel 2.4.29-grsec) is no longer vulnerable to the DOS: iptables -I INPUT 1 -p icmp -j DROP
Um. Other way round:
1) setup a default drop policy
# iptables -P INPUT DROP
2) accept only what you want
# related and established traffic
# iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
# allow only type: echo request, code: 0 (proper rfc ping)
# iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
# other rules
I am interested in knowing if this work around makes any sense. Please keep me informed about this vulnerability.
Unless you are accepting stateful RELATED ICMP traffic, you are propably fine, but are just missing rules to allow PING, which is a RFC MUST AFAIR. If not, you are doing a very bad thing. ICMP is really required for error reporting. You really, really do not want to miss out on these, as it may get you to problems like: - being unable to detect a need for fragmentation - being unable to receive dest.unreach. icmps which will cause delays and timeouts. Blocking all icmp by ISPs is called being criminally brain-dead in a help message of the TCPMSS module for iptables in the kernel source :-) -- Best regards, Maciej
Current thread:
- TCP/IP implementations do not adequately validate ICMP error messages Alok Menghrajani - Ilion Security SA (May 10)
- Re: TCP/IP implementations do not adequately validate ICMP error messages Peter Keel (May 11)
- Re: TCP/IP implementations do not adequately validate ICMP error messages Maciej Soltysiak (May 11)
- Re: SPAM-HIGH: TCP/IP implementations do not adequately validate ICMP error messages David Nichols (May 11)
- RE: TCP/IP implementations do not adequately validate ICMP error messages David Schwartz (May 11)