-
December 27th, 2001, 07:48 PM
#1
Member
ICMP (the rejected one)
Ok guys, this day is crawling to a halt so I figured I would load your brains with some more useful information. A protocol I wish to bring up is ICMP (Internet Control Message Protocol). This protocol is probably the most understated and annoying one that is out there. It is true that its sole purpose is to notify a client of connectivity issues. Of course, a security standard is to simply filter icmp all together with the outbound router but this isn't the best of solutions. You see, we all have seen the destination unreachable error right? Well in geek it is an icmp type 3 error and has a code right after it. We could use this code in order to find out weither it could be a problem with a host, service, dns, etc... This protocol is not reliable and can be a very good misleader in troubleshooting but it gives you a place to start. Another bad reason to simply filter all icmp packets is that we run into the issue with network congestion. Hosts will not quit trying to ping (icmp type 0/8) because it is not recieving a reply, if fact, it will probably keep trying because it wouldn't even reach a TTL timeout (which is also ICMP) assuming that the router before the final hop doesn't send the error for you. The best bet if you wish to be secure would be to manage and filter only icmp packets that relate specifically to unwanted traffic. Yes, even ping is ICMP (and it may seem cool to make it impossible to ping you, but many proggys use this function for TCP connections, remember the three way shake right?). Note: The coolest thing that I have ever done with ICMP is to route all unknown traffic from the outside to a virtual interface on the inside. This defied the idea of filtering because the router did not have to look up ipchains or access lists. Instead it simply forwarded the traffic as it normally would (to oblivion that is). This saved time both during peak hours and also did away with ICMP. The cool thing about all of this is that I was using a cisco router. With cisco you can create an established command on a static entry that will allow you to forward all traffic to the bit bucket but only allow outside connections to the real network after the connection was already made from the inside (not a permanent or useful solution....just fun) Below is a list of the different types of ICMP types and codes that are associated with it (thanks to iana).
Type Name Reference
---- ------------------------- ---------
0 Echo Reply
3 Destination Unreachable
Codes
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don't Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is
Administratively Prohibited
10 Communication with Destination Host is
Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
4 Source Quench
Codes
0 No Code
5 Redirect
Codes
0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service and Network
3 Redirect Datagram for the Type of Service and Host
6 Alternate Host Address
Codes
0 Alternate Address for Host
7 Unassigned
8 Echo
9 Router Advertisement
Codes
0 Normal router advertisement
16 Does not route common traffic
11 Time Exceeded
Codes
0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
12 Parameter Problem
Codes
0 Pointer indicates the error
1 Missing a Required Option
2 Bad Length
13 Timestamp
Codes
0 No Code
14 Timestamp Reply
Codes
0 No Code
15 Information Request
Codes
0 No Code
16 Information Reply
Codes
0 No Code
17 Address Mask Request
Codes
0 No Code
18 Address Mask Reply
Codes
0 No Code
30 Traceroute
31 Datagram Conversion Error
32 Mobile Host Redirect
35 Mobile Registration Request
36 Mobile Registration Reply
39 SKIP
40 Photuris
Codes
0 = Bad SPI
1 = Authentication Failed
2 = Decompression Failed
3 = Decryption Failed
4 = Need Authentication
5 = Need Authorization
Cordially,
Sp1d3r
-
December 27th, 2001, 08:26 PM
#2
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|