North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Firewall stateful handling of ICMP packets

  • From: Jamie Reid
  • Date: Wed Dec 03 22:14:04 2003

Personal view: 

This was a problem when filtering Nachi while it pinged networks
to their knees. 

Sometimes I wonder if there is any legitimate reason to allow 
pings from users at all. If the user really needed to use
ping, that is, if they were in a position to do anything about the
results of the ping tests, then they would know enough to 
use traceroute in UDP mode or some other tool. 

There are lots of other useful ICMP types to handle all
the other ICMP needs, but ping seems to be something
that was created for the convenience of a kind of user
that is effectively extinct in todays Internet.  

ICMP echo is unique among ICMP types in that it is the
only one that elicits it's own response. What I mean by
this is that source-quench, <foo>-unreachables, and others
are all generated by hosts and routers in response to 
relatively stateful traffic. There is nothing that echos
do that SNMP (I know, I know) and traceroute don't
accomplish in a more controlled fashion, no? 

It would kill alot of DDoS attacks and render their zombie 
networks useless, retire legacy backdoors and viruses, up 
the ante for network management tools, and slow down
some virus propagation substantially. 

ICMP echos are a bit of a hack and, quite literally, noise, 
and I wonder if it may be time to consider unofficially 
retiring them using filters. 



 



--
Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre 
Corporate Security, MBS  
416 327 2324 
>>> "Sean Donelan" <sean@donelan.com> 12/03/03 05:12pm >>>


You could drop ICMP packets at your firewall if the firewalls properly
implemented stateful inspection of ICMP packets.  The problem is few
firewalls include ICMP responses in their statefull analysis.  So you are
left with two bad choices, permit "all" ICMP packets or deny "all" ICMP
packets.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px">
<DIV><FONT size=1></FONT>&nbsp;</DIV>
<DIV><FONT size=1>Personal view: </FONT></DIV>
<DIV><FONT size=1></FONT>&nbsp;</DIV>
<DIV><FONT size=1>This was a problem when filtering Nachi&nbsp;while it pinged 
networks</FONT></DIV>
<DIV><FONT size=1>to their knees. </FONT></DIV>
<DIV><FONT size=1></FONT>&nbsp;</DIV>
<DIV><FONT size=1>Sometimes I wonder if there is any legitimate reason to allow 
</FONT></DIV>
<DIV><FONT size=1>pings from&nbsp;users at all. If the user really needed to 
use</FONT></DIV>
<DIV><FONT size=1>ping, that is, if they were in a position to do anything about 
the</FONT></DIV>
<DIV><FONT size=1>results of the ping tests, then they would know enough to 
</FONT></DIV>
<DIV><FONT size=1>use traceroute in UDP mode or some&nbsp;other tool. 
</FONT></DIV>
<DIV><FONT size=1></FONT>&nbsp;</DIV>
<DIV><FONT size=1>There are lots of other useful ICMP types to handle 
all</FONT></DIV>
<DIV><FONT size=1>the other ICMP needs, but ping seems to be 
something</FONT></DIV>
<DIV><FONT size=1>that was created for the convenience of a&nbsp;kind&nbsp;of 
user</FONT></DIV>
<DIV><FONT size=1>that is&nbsp;effectively extinct in todays Internet.&nbsp; 
</FONT></DIV>
<DIV><FONT size=1></FONT>&nbsp;</DIV>
<DIV><FONT size=1>ICMP echo is unique among ICMP types in that it is 
the</FONT></DIV>
<DIV><FONT size=1>only one that elicits it's own response. What I mean 
by</FONT></DIV>
<DIV><FONT size=1>this is that source-quench, &lt;foo&gt;-unreachables, and 
others</FONT></DIV>
<DIV><FONT size=1>are all generated by hosts and routers in response to 
</FONT></DIV>
<DIV><FONT size=1>relatively stateful traffic. There is nothing that 
echos</FONT></DIV>
<DIV><FONT size=1>do that SNMP (I know, I know) and&nbsp;traceroute 
don't</FONT></DIV>
<DIV><FONT size=1>accomplish in a more controlled fashion, no? </FONT></DIV>
<DIV><FONT size=1></FONT>&nbsp;</DIV>
<DIV><FONT size=1>It would kill&nbsp;alot of&nbsp;DDoS attacks and render their 
zombie </FONT></DIV>
<DIV><FONT size=1>networks useless, retire legacy backdoors </FONT><FONT 
size=1>and viruses, up </FONT></DIV>
<DIV><FONT size=1>the ante for network management tools, </FONT><FONT size=1>and 
slow down</FONT></DIV>
<DIV><FONT size=1>some virus propagation substantially. </FONT></DIV>
<DIV><FONT size=1></FONT>&nbsp;</DIV>
<DIV><FONT size=1>ICMP echos are a bit of a hack and, quite literally, 
</FONT><FONT size=1>noise, </FONT></DIV>
<DIV><FONT size=1>and I wonder if it </FONT><FONT size=1>may be time to consider 
unofficially </FONT></DIV>
<DIV><FONT size=1>retiring them using filters. </FONT></DIV>
<DIV><FONT size=1></FONT>&nbsp;</DIV>
<DIV><FONT size=1></FONT>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>--<BR>Jamie.Reid, CISSP, <A 
href="mailto:jamie.reid@mbs.gov.on.ca";>jamie.reid@mbs.gov.on.ca</A><BR>Senior 
Security Specialist, Information Protection Centre <BR>Corporate Security, 
MBS&nbsp; <BR>416 327 2324 <BR>&gt;&gt;&gt; "Sean Donelan" 
&lt;sean@donelan.com&gt; 12/03/03 05:12pm &gt;&gt;&gt;<BR><BR><BR>You could drop 
ICMP packets at your firewall if the firewalls properly<BR>implemented stateful 
inspection of ICMP packets.&nbsp; The problem is few<BR>firewalls include ICMP 
responses in their statefull analysis.&nbsp; So you are<BR>left with two bad 
choices, permit "all" ICMP packets or deny "all" 
ICMP<BR>packets.<BR><BR><BR><BR></DIV></BODY></HTML>