[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: icmp (8/0)]



Hi,

> 
> Subject: icmp (8/0)
> Date: Wed, 17 Jun 1998 14:52:05 -0200
> From: Eli Marmor <marmor@elmar.co.il>
> Organization: El-Mar Software Ltd.
> To: linux ILUG <linux-il@linux.org.il>
> 
> Hi,
> this question may be off-topic (because it deals with security),
> although I don't think so:
> 
> I configured my router to deny all the ICMPs, except for very
> specific ones (those needed for traceroute, etc.). For example, it
> is impossible to ping me or (for me) to ping others. The specific
> ICMP that this message deals with, is (8/0) (what is this? I
> forgot!). This way prove itself, since I notice again and again
> that network scanners scan all my IPs from the lowest to the
> highest, and try to send ICMP (8/0) to them. On the other hand,
> some innocent clients (such as the FTP client built into Netscape
> Communicator 4 for Win95), need this ICMP too, and without it they
> stop the session and claim that connection refused. Two questions:
> 
> 1. What is ICMP 8/0?  Why is it so important for hackers? Is there
>    any vulnerability with it?  Is this potential hole relevant for
>    us?  (or only for specific OSs, or for old kernels/services/
>    etc.)?  If I allow its access only to my server, and this server
>    runs the latest Linux with the latest patches, do I endanger
>    anything?

ICMP message ID 8 is Echo Request, meaning that when you PING
someone you send to that IP an ICMP message with the ID of 8 (the
ID is represented by an hex code). The computer in turn sends
back a ICMP message ID 0 which is a Echo Reply.

There are certain D.O.S releated to ICMP messages but they
are usually because of bad implementation in the Sock stack.
For example the oversized ping requests attack or the destination
unreachable attacks (ID 3).

ICMP is used to check wheather that server is online or not,
because PING is the most basic packet which a computer responds
to.

Its very important to allow ICMP packets due to the fact that
most ROUTERS use this packet to ackloage the "working" condition
of remote hosts.

Hackers use this packet to indentify working host, instead of
scanning a complete NetMask (256 address) you could narrow down
the scan to 10-50 hosts which replay to ICMPs.

Altough you could use UDPs and TCPs packets to indetify working
servers. Without having to use ICMP.

I don't think Linux (2.0.32) needs any patches relating to
oversized PING packets or destiantion unreachable attacks.

> 
> 2. Why, the hell, do some FTP clients need ICMP 8/0? Is there a way
>    to bypass the problem (i.e. to allow these clients to do what
>    they need to do, but to deny the intruders)?

Again, most programs check the connection to server by sending
an Echo Request to the server.

Most programs can be "faked" to belive the server exist without
allowing direct ICMPs by using a Proxy or a Firewall with PASV
mode enabled in it.

> 
> My router is Cisco 1005 with IOS 11.2. My server runs RedHat 5.0
> (to be replaced with 5.1 in a few days), with patches for the
> relevant services and potential holes (e.g. BIND).
> 
> Thanks in advance,
> --
> Eli Marmor
> marmor@elmar.co.il
> El-Mar Software Ltd.

Hope I helped,

Any other questions I will gladly help.

-- 
Thanks
Noam Rathaus
http://members.xoom.com/dolittle

S/MIME Cryptographic Signature