GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: icmp messages [7:60602] posted 01/08/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


I did find a good security paper that says incoming ICMP redirects should be
filtered at routers. It says this:

"An ICMP redirect message instructs an end node to use a specific router as
its path to a particular destination. In a properly functioning IP network,
a router will send redirects only to hosts on its own local subnets, no end
node will ever send a redirect, and no redirect will ever be traversed more
than one network hop. However, an attacker may violate these rules; some
attacks are based on this. It's a good idea to filter out incoming ICMP
redirects at the input interfaces of any router that lies at a border
between administrative domains, and it's not unreasonable for any access
list that's applied on the input side of a Cisco router interface to filter
out all ICMP redirects. This will cause no operational impact in a correctly
configured network.

Note that this filtering prevents only redirect attacks launched by remote
attackers. It's still possible for attackers to cause significant trouble
using redirects if their host is directly connected to the same segment as a
host that's under attack."

The paper is "Improving Security on Cisco Routers" and is well worth a read.
The URL is:

http://www.cisco.com/warp/public/707/21.html

_______________________________

Priscilla Oppenheimer
www.troubleshootingnetworks.com
www.priscilla.com

> 
> Sounds like a good approach.
> 
> I tried to find a paper at Cisco's site that has
> recommendations with regards to security, ICMP, and access
> lists, and couldn't find one. I hate being thwarted like this!
> ;-) Anyone have a URL?
> 
> Thanks,
> 
> Priscilla
> 
> Brian wrote:
> > 
> > there are a ton of icmp message types, the block is likely
> > preventing you
> > from getting some errors.  A former coworker had a good idea
> > that went like
> > this, in this order.
> > 
> > Permit all icmp from trusted monitoring hosts
> > deny icmp echo/echo-request from all
> > permit icmp from all
> > 
> >     Its a middle of the road approach, and some folks will
> tell
> > you its too
> > open. But, I happen to believe that receiving and processing
> > icmp errors is
> > better than putting them in the bit bucket.
> > 
> >     Brian
> > 
> > ----- Original Message -----
> > From: "ramesh c" 
> > To: 
> > Sent: Wednesday, January 08, 2003 5:32 AM
> > Subject: icmp messages [7:60602]
> > 
> > 
> > > I got access list as follows on my router
> > >
> > > access-list 100 permit icmp host any host xyz ttl-exceed
> > > access-list 100 deny icmp any any
> > >
> > > when I do a traceroute from host xyz,I get reply only from
> > some hosts .The
> > > Hitcounts on deny icmp icmp increases.the access-group is
> > applied to the
> > "in"
> > >
> > >
> > > Am I missing any other icmp messages?Is there a way to allow
> > all icmp
> > > messages for the host?
> > >
> > > Cheers
> > >
> > >
> > >
> _____________________________________________________________
> > > Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for
> > $19.95/year.
> > >
> >
> http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus
> > 
> > 
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60652&t=60602
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx