|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Firewall stateful handling of ICMP packets
Personal view: This was a problem when filtering Nachi while it pinged networks to their knees. Sometimes I wonder if there is any legitimate reason to allow pings from users at all. If the user really needed to use ping, that is, if they were in a position to do anything about the results of the ping tests, then they would know enough to use traceroute in UDP mode or some other tool. There are lots of other useful ICMP types to handle all the other ICMP needs, but ping seems to be something that was created for the convenience of a kind of user that is effectively extinct in todays Internet. ICMP echo is unique among ICMP types in that it is the only one that elicits it's own response. What I mean by this is that source-quench, <foo>-unreachables, and others are all generated by hosts and routers in response to relatively stateful traffic. There is nothing that echos do that SNMP (I know, I know) and traceroute don't accomplish in a more controlled fashion, no? It would kill alot of DDoS attacks and render their zombie networks useless, retire legacy backdoors and viruses, up the ante for network management tools, and slow down some virus propagation substantially. ICMP echos are a bit of a hack and, quite literally, noise, and I wonder if it may be time to consider unofficially retiring them using filters. -- Jamie.Reid, CISSP, [email protected] Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324 >>> "Sean Donelan" <[email protected]> 12/03/03 05:12pm >>> You could drop ICMP packets at your firewall if the firewalls properly implemented stateful inspection of ICMP packets. The problem is few firewalls include ICMP responses in their statefull analysis. So you are left with two bad choices, permit "all" ICMP packets or deny "all" ICMP packets. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD> <BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px"> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>Personal view: </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>This was a problem when filtering Nachi while it pinged networks</FONT></DIV> <DIV><FONT size=1>to their knees. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>Sometimes I wonder if there is any legitimate reason to allow </FONT></DIV> <DIV><FONT size=1>pings from users at all. If the user really needed to use</FONT></DIV> <DIV><FONT size=1>ping, that is, if they were in a position to do anything about the</FONT></DIV> <DIV><FONT size=1>results of the ping tests, then they would know enough to </FONT></DIV> <DIV><FONT size=1>use traceroute in UDP mode or some other tool. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>There are lots of other useful ICMP types to handle all</FONT></DIV> <DIV><FONT size=1>the other ICMP needs, but ping seems to be something</FONT></DIV> <DIV><FONT size=1>that was created for the convenience of a kind of user</FONT></DIV> <DIV><FONT size=1>that is effectively extinct in todays Internet. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>ICMP echo is unique among ICMP types in that it is the</FONT></DIV> <DIV><FONT size=1>only one that elicits it's own response. What I mean by</FONT></DIV> <DIV><FONT size=1>this is that source-quench, <foo>-unreachables, and others</FONT></DIV> <DIV><FONT size=1>are all generated by hosts and routers in response to </FONT></DIV> <DIV><FONT size=1>relatively stateful traffic. There is nothing that echos</FONT></DIV> <DIV><FONT size=1>do that SNMP (I know, I know) and traceroute don't</FONT></DIV> <DIV><FONT size=1>accomplish in a more controlled fashion, no? </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>It would kill alot of DDoS attacks and render their zombie </FONT></DIV> <DIV><FONT size=1>networks useless, retire legacy backdoors </FONT><FONT size=1>and viruses, up </FONT></DIV> <DIV><FONT size=1>the ante for network management tools, </FONT><FONT size=1>and slow down</FONT></DIV> <DIV><FONT size=1>some virus propagation substantially. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>ICMP echos are a bit of a hack and, quite literally, </FONT><FONT size=1>noise, </FONT></DIV> <DIV><FONT size=1>and I wonder if it </FONT><FONT size=1>may be time to consider unofficially </FONT></DIV> <DIV><FONT size=1>retiring them using filters. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1></FONT> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV><BR> </DIV> <DIV> </DIV> <DIV>--<BR>Jamie.Reid, CISSP, <A href="mailto:[email protected]";>[email protected]</A><BR>Senior Security Specialist, Information Protection Centre <BR>Corporate Security, MBS <BR>416 327 2324 <BR>>>> "Sean Donelan" <[email protected]> 12/03/03 05:12pm >>><BR><BR><BR>You could drop ICMP packets at your firewall if the firewalls properly<BR>implemented stateful inspection of ICMP packets. The problem is few<BR>firewalls include ICMP responses in their statefull analysis. So you are<BR>left with two bad choices, permit "all" ICMP packets or deny "all" ICMP<BR>packets.<BR><BR><BR><BR></DIV></BODY></HTML>
|