ICMP types used in attacks

vexer · 05-12-2003, 03:27 PM

What are the most common ICMP packet types used in attacks?

(I'm looking to block them off with the REJECT flag)

unSpawn · 05-14-2003, 07:12 AM

AFAIK the main ICMP usage in DoS attacks are (spoofed source address) echo requests to a (remote subnet) broadcast addr to build up amplification (smurfing). I think it's best to try to see restricting ICMP usage as a small part in the larger security framework which consists of (not having those ancient services running in the first place) sysctl values, address filtering, rate limiting and blocking or restricting some ICMP type usage (traceroute (TTL), redirection). Please also note ICMP is an error reporting protocol so blocking everything definately isn't a Good Thing to do.

For more, please see the 1st thread in this forum, post #2 under DoS and DDoS and also look at Robert Graham's Firewall FAQ as it has a good piece of information on ICMP.

HTH.

markus1982 · 05-20-2003, 12:03 AM

Well Nessus just lists following when doing a scan:

Quote:

The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.

This may help him to defeat all your
time based authentication protocols.

Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114

And if your Kernel is < 2.4.21 then it will also point out (if doing a scan on the same subnet):

Quote:

The remote host is vulnerable to an 'Etherleak' -
the remote ethernet driver seems to leak bits of the
content of the memory of the remote operating system.

Note that an attacker may take advantage of this flaw
only when its target is on the same physical subnet.

See also : http://www.atstake.com/research/advi.../a010603-1.txt
Solution : Contact your vendor for a fix
Risk factor : Serious
CVE : CAN-2003-0001
Nessus ID : 11197
Warning general/icmp