North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Firewall stateful handling of ICMP packets
Jamie Reid wrote: Personal view: Well, it was at least the "last straw". Sometimes I wonder if there is any legitimate reason to allow pings from users at all. If the user really needed to usePersonally, I like Rob Thomas (cymru) stance on ICMP filtering as given in http://www.cymru.com/Documents/icmp-messages.html. This allows pings and PMTU-relevant unreachables. Granted there have been a few hacker toys that use ICMP echo-reply or other esoteric ICMP type codes to communicate with their "slaves", but this could be alleviated to some extent with "stateful" ICMP (almost an oxymoron). The Nachi pings can be stopped by vendor C using policy routing but has a side effect of grabbing some unintended packets (Windows traceroute, I think). If you can devise a method to see if the ICMP payload is a load of 0xaa's then you've narrowed it down to a science, but AFAIK vendor C can't do that (well, maybe an IDS appliance with a custom signature). You can gain "some" additional protection by rate-limiting ICMP (in the Nachi ping case) and/or UDP (SQL Slammer, etc), and TCP intercept for synflooding. Not perfect, but every little bit helps. Jeff Kell University of Tennessee at Chattanooga
|