Re: Firewall stateful handling of ICMP packets

[Jeff Kell]

Jamie Reid wrote:
> Personal view: 
> This was a problem when filtering Nachi while it pinged networks
> to their knees. 
Well, it was at least the "last straw".

> Sometimes I wonder if there is any legitimate reason to allow 
> pings from users at all. If the user really needed to use
> ping, that is, if they were in a position to do anything about the
> results of the ping tests, then they would know enough to 
> use traceroute in UDP mode or some other tool. 
Personally, I like Rob Thomas (cymru) stance on ICMP filtering as given 
in http://www.cymru.com/Documents/icmp-messages.html.  This allows pings
and PMTU-relevant unreachables.  Granted there have been a few hacker 
toys that use ICMP echo-reply or other esoteric ICMP type codes to 
communicate with their "slaves", but this could be alleviated to some 
extent with "stateful" ICMP (almost an oxymoron).

The Nachi pings can be stopped by vendor C using policy routing but has 
a side effect of grabbing some unintended packets (Windows traceroute, I 
think).  If you can devise a method to see if the ICMP payload is a load 
of 0xaa's then you've narrowed it down to a science, but AFAIK vendor C 
can't do that (well, maybe an IDS appliance with a custom signature).

You can gain "some" additional protection by rate-limiting ICMP (in the 
Nachi ping case) and/or UDP (SQL Slammer, etc), and TCP intercept for 
synflooding.  Not perfect, but every little bit helps.

Jeff Kell
University of Tennessee at Chattanooga