Alok Menghrajani - Ilion Security SA wrote: > Hi, > > I was playing around with the ICMP error messages DOS attack (I found an > exploit on securityfocus.org bid 13214), and I noticed the following > work around: > > when I add the following rule to iptables, the linux server (Kernel > 2.4.29-grsec) is no longer vulnerable to the DOS: > iptables -I INPUT 1 -p icmp -j DROP > > I am interested in knowing if this work around makes any sense. Please > keep me informed about this vulnerability. It does not make sense. A few years ago somebody wrote an essay about that, titled "security zealots break the internet" (can't find it anymore, though). And that is what this does. RFC 1122 states: "A Destination Unreachable message that is received MUST be reported to the transport layer. The transport layer SHOULD use the information appropriately; for example, see Sections 4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol that has its own mechanism for notifying the sender that a port is unreachable (e.g., TCP, which sends RST segments) MUST nevertheless accept an ICMP Port Unreachable for the same purpose." The Problem: - Hosts trying to send you something will experience a 2 minute delay, which might lead to a DoS-attack against that host. We had that, some customers primary MX did it, his sendmail went down, and our secondary MX had hundreds of open connections. The other problem (fragmentation needed): - Some DSL-users have a lower MTU. You will block any request to fragment packets, so your host will be unreachable. Some idiots at internet-banks did that. This one is better: iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp --icmp-type port-unreachable -j ACCEPT iptables -A INPUT -p icmp -j DROP Regards Peter Keel -- Operator in charge of Security Tel +41 1 287 2993 Cyberlink Internet Services AG Fax +41 1 287 2991 Richard Wagnerstrasse 6 admin@xxxxxxxxxxxx CH-8002 Zuerich http://www.cyberlink.ch
