firewallspotting

Ilya Palagin tux-4CS0UopE6WdBDgjK7y7TUQ at public.gmane.org
Fri Jan 21 17:39:15 UTC 2005 

Quoting Robert Brockway <rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org>:

> On Mon, 3 Jan 2005, Ilya Palagin wrote:
>
> > Source quench, for instance, can be a used for a an effective DoS attack.
>
> You still need to guess the TCP sequence number to Source Quench a TCP
> stream.  If you want to Source Quench many streams you must guess many
> sequence numbers.  If an attacker can guess sequences numbers all sorts of
> evil is possible.
>
> I just found this:
>
> RFC 1009 (gateway requirements):
>
>           All gateways must contain code for sending ICMP Source Quench
>           messages when they are forced to drop IP datagrams due to
>           congestion. Although the Source Quench mechanism is known to
>           be an imperfect means for Internet congestion control, and
>           research towards more effective means is in progress, Source
>           Quench is considered to be too valuable to omit from production
>           gateways.
>
> > Blocking ICMP traffic through the firewall is one of common security
>
> But we can be very selective about what ICMP types we want to block (as
> noted in the discussion so far).  It really does suck to block certain
> ICMP types - eg, icmp-destination-unreachable.  Sending machines get
> insufficient information back about the hosts they are trying to connect
> to.  This results in mail delays, problems debugging network issues, and
> lots of other fun.
>

I've just received a list of RH security updates:
-------------
Red Hat Security Advisory:
A recent Internet Draft by Fernando Gont recommended that ICMP Source
Quench messages be ignored by hosts.  A patch to ignore these messages is
included.
-------------

This can be found on
<http://www.linuxsecurity.com/content/view/117962/110/>

Here is the draft they mention:
http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-03.txt

...
7.1.1  Description

   The Host requirements RFC states hosts MUST react to ICMP Source
   Quench messages by slowing transmission on the connection.  Thus, an
   attacker could send ICMP Source Quench (type 4, code 0) messages to a
   TCP endpoint to make it reduce the rate at which it sends data to the
   other party.  While this would not reset the connection, it would
   certainly degrade the performance of the data transfer taking place
   over it.

7.1.2  Attack-specific counter-measures

   The Host Requirements RFC [4] states that hosts MUST react to ICMP
   Source Quench messages by slowing transmission on the connection.
   However, as discussed in the Requirements for IP Version 4 Routers
   RFC [5], research seems to suggest ICMP Source Quench is an
   ineffective (and unfair) antidote for congestion.  Thus, we recommend
   hosts to completely ignore ICMP Source Quench messages.
...

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list