[linux-security] Re: ICMP

[Zygo Blaxell <zblaxell washu furryterror org>]

In security.redhat.linux-security, you wrote:
>To a network I want relatively secure I've blocked:
>echo-requests inbound (ping)
>time-exceeded outbound (traceroute)
>redirect inbound (could be nasty)
>
>Everything else comes through.  I did the first two to stop people learning
>more then they need to about the network and the last to stop someone
>fooling a machine in to routing packets somewhere it shouldn't.

I've used ISP's that have somewhat haphazard router configurations
where ICMP redirects are necessary.  In this case the ISP is configuring
client machines to use an "advertised" router as the default gateway,
when in fact multiple routes separated by subnet are necessary.  The ISP
configures routing properly on the "advertised" router, and relies on
the router to send every client machine ICMP redirects to the "real"
routers that will actually forward the traffic to the right places.
If you block ICMP redirect from this particular ISP, you will lose
Internet access unless you phone them often to keep up with their network
configuration of the month.

Try to avoid this sort of ISP if you can.  ;-)

In Linux 2.2, the ICMP redirect messages create entries in the route
cache.  From a security point of view, it's similar to ARP cache for
Ethernet, except for a few minor differences--packet format, timeouts,
and sequence of events in the protocol--the semantics are similar enough
to consider one to be a superset of the other for security purposes.

If you're in a situation where you're on Ethernet (switched or not) shared
with someone you don't trust, don't worry about ICMP redirect spoofing
until you've first solved the MAC/ARP spoofing problem.  Once you've done
that, then you can meaningfully block incoming ICMP redirects.  As ugly
as it sounds, more and more Internet feeds (even commercial ones) are
popping up with wide-area switched Ethernet somewhere at the ISP's site
due to the popularity and resulting cheapness of *DSL and cable modems.

ICMP redirect can only be effectively used to redirect traffic to a
different gateway on the same subnet, or to a different subnet attached
to your machine (and that might be subject to some sanity checking in
the kernel to prevent exactly that kind of abuse).  IIRC (I apologize
if I get this wrong, but I'm waiting for my Internet feed to come back
up as I write this so I can't easily consult an RFC near me ;-) ICMP
redirects are not supposed to be forwarded, and even if they were,
they don't make a lot of sense when they are.

ICMP redirect to a different interface on your machine can be contained
by using ipchains on output rules to block packets with the wrong source
or destination addresses.  I configure ipchains to block source or
destination addresses that I use on my private networks on all network
interfaces connected to the Internet.  If, for any reason, packets are
redirected from the private side interface to the public Internet, they
won't get past the firewall.  This converts a potential confidentiality
breach or IP spoofing attack into a simple denial of service.

Here's some common configurations and what an attacker can get if
the attacker can cause your machine to send data to the wrong host on
a subnet:

1.  ISP gives you a router and a subnet.  The router has one IP in that
subnet, and all the other IP's are yours.  Here, ICMP redirect can only
be used to direct traffic from one of your hosts to another...and the
other host will just send an ICMP redirect back to correct the error.  ;-)

2.  ISP gives you a router and a single point-to-point address (e.g. a
PPP-based connection).  ICMP redirect here is useless, since all possible
outgoing routes will go to your point-to-point peer, which will consult
its own routing table to process them.  

3.  ISP gives you a box that emulates switched Ethernet.  Attacker can
redirect packets to any IP address on the switched Ethernet, possibly
including machines controlled by your attacker.  See above about MAC/ARP
spoofing.


-- 
OpenPGP email preferred at <zblaxell feedme hungrycats org>.
OpenPGP key available on www.keyserver.net and other fine keyservers.
OpenPGP fingerprint:  2B32 546D 21A5 0DB2 20C8  AF10 1D4A 610E 6972 2DEE