firewallspotting
Ilya Palagin
tux-4CS0UopE6WdBDgjK7y7TUQ at public.gmane.org
Fri Jan 21 17:39:15 UTC 2005
Quoting Robert Brockway <rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org>:
> On Mon, 3 Jan 2005, Ilya Palagin wrote:
>
> > Source quench, for instance, can be a used for a an effective DoS attack.
>
> You still need to guess the TCP sequence number to Source Quench a TCP
> stream. If you want to Source Quench many streams you must guess many
> sequence numbers. If an attacker can guess sequences numbers all sorts of
> evil is possible.
>
> I just found this:
>
> RFC 1009 (gateway requirements):
>
> All gateways must contain code for sending ICMP Source Quench
> messages when they are forced to drop IP datagrams due to
> congestion. Although the Source Quench mechanism is known to
> be an imperfect means for Internet congestion control, and
> research towards more effective means is in progress, Source
> Quench is considered to be too valuable to omit from production
> gateways.
>
> > Blocking ICMP traffic through the firewall is one of common security
>
> But we can be very selective about what ICMP types we want to block (as
> noted in the discussion so far). It really does suck to block certain
> ICMP types - eg, icmp-destination-unreachable. Sending machines get
> insufficient information back about the hosts they are trying to connect
> to. This results in mail delays, problems debugging network issues, and
> lots of other fun.
>
I've just received a list of RH security updates:
-------------
Red Hat Security Advisory:
A recent Internet Draft by Fernando Gont recommended that ICMP Source
Quench messages be ignored by hosts. A patch to ignore these messages is
included.
-------------
This can be found on
<http://www.linuxsecurity.com/content/view/117962/110/>
Here is the draft they mention:
http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-03.txt
...
7.1.1 Description
The Host requirements RFC states hosts MUST react to ICMP Source
Quench messages by slowing transmission on the connection. Thus, an
attacker could send ICMP Source Quench (type 4, code 0) messages to a
TCP endpoint to make it reduce the rate at which it sends data to the
other party. While this would not reset the connection, it would
certainly degrade the performance of the data transfer taking place
over it.
7.1.2 Attack-specific counter-measures
The Host Requirements RFC [4] states that hosts MUST react to ICMP
Source Quench messages by slowing transmission on the connection.
However, as discussed in the Requirements for IP Version 4 Routers
RFC [5], research seems to suggest ICMP Source Quench is an
ineffective (and unfair) antidote for congestion. Thus, we recommend
hosts to completely ignore ICMP Source Quench messages.
...
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list