[LINK] DNS outage?

Crispin Harris crispin.harris at gmail.com
Wed Jul 29 18:52:09 AEST 2009

On Wed, Jul 29, 2009 at 3:43 PM, Kim Holburn <kim at holburn.net> wrote:

> On 2009/Jul/29, at 1:40 AM, Rick Welykochy wrote:
> > Stilgherrian wrote:
> >
> >> block such attempts to do reconnaissance like that, for security
> >> reasons, as someone said earlier.

Reconnaisance is but one of the threats that paranoid security professionals
attempt to protect against. Personally, it is one of the least important
ones - I prefer to provide diagnostic/availability capabilities even if I
have to allow specific host discovery weaknesses.

The other risks associated with ICMP, however, are of much greater concern.

> > Have there been any exploits or attacks based on ICMP, for example?
> DDoS, ping of death?

 Here are a few examples.

Some examples of deliberately hostile things done with VALID ICMP messages:
 - Malicious source-quench (ICMP has a "Slow-Down you B*st*rd, I'm Full"
 - Traffic redirection (ICMP supplies a "you need to go here to get there"
 - Traffic Blocking (ICMP can say "Stop - that doesn't exist here", and "You
can't get there from here")

Some information that can be gleaned from ICMP messages:
 - what time zone are you in?
 - What is you network mask?
 - Are you a router? (Where do you connect?)
 - What is your domain name?

Some examples of deliberate misuse of (occasionally valid) ICMP messages:
 - Telnet over ICMP-Echo
    (Yes - you CAN do interactive network traffic over ping! -
     I have personal experience of this in an attack scenario as far back as
     - and more than once since)
 - correctly formed large ICMP-Echo causing system failure
   ("Ping of Death" & DoS attacks)
 - malformed and/or mis-ordered ICMP-echo causing firewall or IDS/IPS
   (usually as an "out-of-state session reconstruction" attack.
   This can frequently cause monitoring systems to fail.)
 - malformed ICMP-Port Unavailable messages
   (source=destination=target can cause service or system failures)

> Often ping is allowed for public servers.

Yes - this should, however, be enabled with knowledge of the associated
risks :-)
(Ahhh damn - there I go, showing my Risk Management colours again.)

My professional advice is usually:
 - Allow the following by specific rule:
   ICMP-Echo-Request (to your protected services from *)
   ICMP-Echo-Reply (from your protected services to * - Statefully applied
if possible)
   ICMP & UDP traceroute (both ways, but in separate rules - preferably
prevent your firewall/load-balancer from participating)
  ICMP-Destination Unreachable (to your protected system & access control
devices -**under discussion**-)
    Usually required for PMTUd (Path MTU discovery - MTU=Maximum
Transmittable Unit)
- Block all other ICMP.


Crispin Harris
crispin.harris at gmail.com
"Well, you know... most Catholics are so boring, you kind of expect them to
be fairly reasonable and not, say, frothing papal fanboys with the IQ of a
turnip. So he had me fooled. Not any more, though."
Thanks to Eric The FruitBat (etfb.livejournal.com)

More information about the Link mailing list