Hi, > > Subject: icmp (8/0) > Date: Wed, 17 Jun 1998 14:52:05 -0200 > From: Eli Marmor <marmor@elmar.co.il> > Organization: El-Mar Software Ltd. > To: linux ILUG <linux-il@linux.org.il> > > Hi, > this question may be off-topic (because it deals with security), > although I don't think so: > > I configured my router to deny all the ICMPs, except for very > specific ones (those needed for traceroute, etc.). For example, it > is impossible to ping me or (for me) to ping others. The specific > ICMP that this message deals with, is (8/0) (what is this? I > forgot!). This way prove itself, since I notice again and again > that network scanners scan all my IPs from the lowest to the > highest, and try to send ICMP (8/0) to them. On the other hand, > some innocent clients (such as the FTP client built into Netscape > Communicator 4 for Win95), need this ICMP too, and without it they > stop the session and claim that connection refused. Two questions: > > 1. What is ICMP 8/0? Why is it so important for hackers? Is there > any vulnerability with it? Is this potential hole relevant for > us? (or only for specific OSs, or for old kernels/services/ > etc.)? If I allow its access only to my server, and this server > runs the latest Linux with the latest patches, do I endanger > anything? ICMP message ID 8 is Echo Request, meaning that when you PING someone you send to that IP an ICMP message with the ID of 8 (the ID is represented by an hex code). The computer in turn sends back a ICMP message ID 0 which is a Echo Reply. There are certain D.O.S releated to ICMP messages but they are usually because of bad implementation in the Sock stack. For example the oversized ping requests attack or the destination unreachable attacks (ID 3). ICMP is used to check wheather that server is online or not, because PING is the most basic packet which a computer responds to. Its very important to allow ICMP packets due to the fact that most ROUTERS use this packet to ackloage the "working" condition of remote hosts. Hackers use this packet to indentify working host, instead of scanning a complete NetMask (256 address) you could narrow down the scan to 10-50 hosts which replay to ICMPs. Altough you could use UDPs and TCPs packets to indetify working servers. Without having to use ICMP. I don't think Linux (2.0.32) needs any patches relating to oversized PING packets or destiantion unreachable attacks. > > 2. Why, the hell, do some FTP clients need ICMP 8/0? Is there a way > to bypass the problem (i.e. to allow these clients to do what > they need to do, but to deny the intruders)? Again, most programs check the connection to server by sending an Echo Request to the server. Most programs can be "faked" to belive the server exist without allowing direct ICMPs by using a Proxy or a Firewall with PASV mode enabled in it. > > My router is Cisco 1005 with IOS 11.2. My server runs RedHat 5.0 > (to be replaced with 5.1 in a few days), with patches for the > relevant services and potential holes (e.g. BIND). > > Thanks in advance, > -- > Eli Marmor > marmor@elmar.co.il > El-Mar Software Ltd. Hope I helped, Any other questions I will gladly help. -- Thanks Noam Rathaus http://members.xoom.com/dolittle
S/MIME Cryptographic Signature