Why not to stealth all ICMP
Results 1 to 9 of 9

Thread: Why not to stealth all ICMP

  1. #1
    Member
    Join Date
    Jun 2003
    Posts
    57

    Why not to stealth all ICMP

    Here is a cool email I got today, regarding some interesting aspects of stealthing against ICMP traffic. I was particularly taken with this email, as I just watched Leo Laporte advise disabling all icmp traffic via the win xp firewall. What do you folks think? Safer on or off? I'm not particularly worried about my address being used as a spoofer, but I suppose it's a matter of time,

    http://home.neb.rr.com/dagreasepound...ockallicmp.txt

    Corn

  2. #2
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Stealthing means the firewall just DROPS all ICMP packets.

    Advantage - The packets sent to the FW will not respond, slowing down potential portscans, or ICMP in general.

    Disadvantage - It makes the attacker aware that there is a firewall DROPING ICMP packets.

    Choose your poison.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    What about the useful ICMP packets which actually give applications information? Like unreachable messages?

    Nobody ever seems to give a damn about them.

    Perhaps because Windoze doesn't seem to handle them correctly anyway?

    Slarty

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Ahhhh yes, Slarty, I was going to bring up the various ICMP message types. In case anyone is interested, here is a link to the complete list of ICMP message types and related codes.

    http://www.iana.org/assignments/icmp-parameters

    The nice thing about ICMP is that you can filter specific types that are associated with the usual enumeration nonsense while allowing those that are beneficial to your admins. That said, I think that the document is a bit narrow in content and depth in regards to ICMP.

    --TH13

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Deceased x acidreign x's Avatar
    Join Date
    Jul 2002
    Posts
    455
    Originally posted here by instronics
    Stealthing means the firewall just DROPS all ICMP packets.

    Advantage - The packets sent to the FW will not respond, slowing down potential portscans, or ICMP in general.

    Disadvantage - It makes the attacker aware that there is a firewall DROPING ICMP packets.

    Choose your poison.
    thats only if the attacker knows there is a live system at the ip in question. this is rarely the case, in most cases it is an attacker scanning ip after ip to determine which one is alive. Dropping icmp packets will give the attacker the assumption that there is no machine alive at your ip so is actually a good thing. This does not, however, protect against port scanning, which is scanning comonly used ports for a response. Dropping ICMP Packets is adviseable, but it does not make you "invisible" by any means.
    :q :q! :wq :w :w! :wq! :quit :quit! :help help helpquit quit quithelp :quitplease :quitnow :leave :**** ^X^C ^C ^D ^Z ^Q QUITDAMMIT ^[:wq GCS,M);d@;p;c++;l++;u ++ ;e+ ;m++(---) ;s+/+ ;n- ;h* ;f+(--) ;!g ;w+(-) ;t- ;r+(-) ;y+(**)

  6. #6
    Junior Member
    Join Date
    Sep 2003
    Posts
    22
    Along the lines of horse13's comments I have found a firewall set of rules that allows only the outbound and inbound ICMP I want (two separate rules) and two other rules that deny all other ICMP connections (one for inbound, one for outbound). This way I can run traceroute out but will not respond to an inbound traceroute, or will allow an inbound echo reply but wont send one. This seems to keep things working fairly smoothly even if it did take a little poking around to find the right mix.

    I don't know if this will help corndog's e-mail but it works for me.
    Where\'s the ka-booom?
    There was supposed to be an earth-shattering ka-booom!

  7. #7
    Junior Member
    Join Date
    Sep 2003
    Posts
    3
    Yah, nice...NIce to know that there are some who do know what improperly configured 'firewalls' can do! ICMP is important. But try telling ipoperations that! Really screws with the net the way these nerbs think...did I say think?

    Thanks for sharing that email with us. I needed that after the past few days tracing down those net unreacheables!
    The hinge of sorcery is the assemblage point.

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    More intelligent (stateful) firewalls, like pf on OpenBSD, use their connection state table to allow valide ICMP packets, ie. those that relate to established connections (or in the process of being established), even when you have a "block in icmp" rule. No need to filter on particular icmp codes for inbound or outbound...

    Ammo
    Credit travels up, blame travels down -- The Boss

  9. #9
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    hmmm...attackers..??

    just one thing about blockin,droppin,stealthin(orwhatever) all ICMP traff:
    if you are running a webserver you will make any DSL user angry about your shitworking site.
    a little problem with lenght of the blocks while usin DSL( sry ,still i do not really understand this ).
    the dsl users will only be able to access ya site without errors by coming thru a proxy.

    greetz, stanger
    Industry Kills Music.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •