Slashdot Mirror

← Back to Stories (view on slashdot.org)

Examining ICMP Flaws

Posted by samzenpus on from the under-the-microscope dept.

An anonymous reader writes "A recent internet-draft pointed out a number of security flaws in the design of the ICMP protocol. Most open source projects and vendors have addressed the flaws to some level, but this interesting article on KernelTrap examines the true extent of the problem, and how so far only OpenBSD has implemented all possible counter-measures. Theo de Raadt is quoted saying, "here we have a 20 year old protocol, a part of the Internet infrastructure that hasn't been touched in 10 years and we were all sure was right, and now is cast in doubt.""

18 of 238 comments (clear)

  1. Re:ICMP flaw #1 on Linux: it's in the kernel by pingus · · Score: 2, Insightful

    "We don't put HTTP servers in the kernel." Umm, khttpd is pretty much an http server in the kernel. But more on topic, what a pain in the ass it would be to have to install and maintain yet another network server. I'd rather just have it in the kernel personally. If I really had a problem with it, I'd take it out. That's the beauty of Linux.

  2. Re:Google search links by rel4x · · Score: 2, Insightful

    I wasn't really familier with ICMP, so did a quick google. Found couple of good links

    You must be new around here...we don't really even advocate reading the article, and absolutely forbid background research...

    --

    Before you mod me funny, think, perhaps I was insightfully funny?
  3. Re:ICMP flaw #1 on Linux: it's in the kernel by A+beautiful+mind · · Score: 5, Insightful

    The scary thing is that the parent is talking about ICMP without actually knowing what it is.

    You see, this is one of the failures of the moderation system: when someone posts something like this, it seems intelligent because it mentions a lot of familiar things, but overally it's not even making sense. The problem is that moderators work like this:

    Argument: check
    Clear line of thinking: check
    Windows comparison: check

    The problem is that this checklist does not include VERIFYING THINGS like what ICMP is. This is how the parent got +5, insightful while it's one of the most misinformed posts i've seen in a while.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  4. Re:ICMP flaw #1 on Linux: it's in the kernel by Trick · · Score: 5, Insightful

    How the heck did this get modded insightful?

    ICMP runs on a different layer than all of the services you mentioned. ICMP is a network layer protocol (like IP and IPv6, also called "layer 3"), and all the protocols you mentioned are application layer (layer 7) protocols. There's no direct comparison to be made to any of the protocols (HTTP, SMB, FTP and NFS) you mentioned.

    If you want to compare having ICMP in the kernel to other sinilar protocols, your best argument (if you can call it that) is that we should have *IP*, another layer 3 protocol, "running as an ordinary user process, not root, and especially not as a kernel process." Obviously, IP *is* included in the kernel, for plenty of good reasons. Comparing ICMP to application-layer protocols like HTTP holds no weight whatsoever, unless you're completely ignorant of network fundamentals.

    How it got modded to +5 Insightful baffles me. I'd have thought this crowd would have a better handle on the basics.

  5. Yeah, there's a bunch of this stuff around by mveloso · · Score: 2, Insightful

    I think you could send a redirect via ICMP too, to generate your own man-in-the-middle attack. It's been too long since I've read the RFC.

    DHCP has a whole bunch of issues too. For example, what if a DHCP client gets a DHCPACK from some machine? I'll bet that it would just reconfigure itself using the information in the packet. Bam, you've got a man-in-the-middle attack.

    1. Re:Yeah, there's a bunch of this stuff around by interweb · · Score: 2, Insightful

      Fixing the DHCP ACK issue seems like it would require a switch update/upgrade so that the switch doesn't allow traffic to any physical port by any other physical port, except the dhcp server's physical port, until the machine connected to that port gets assigned an IP address, by the DHCP server, in response to the machine's DHCP request.

  6. Re:Cliff's Notes: Start Using TCP Sequence Number by w1r3sp33d · · Score: 2, Insightful

    Help me out here, I seriously want to understand you comment. How can ICMP outlined in RFC792 http://www.ietf.org/rfc/rfc0792.txt?number=792/ allow for a sequence number when it is designed as an unreliable protocol without a port number or sequence number in the header? I mean unless we rewrite ICMP as a layer four protocol I don't see how we can prevent this?

  7. It was supposed to be simple! by BigKeys · · Score: 2, Insightful

    We knew about the problems with ICMP when we first designed applications around it in the mid 80s. But at that time it just was not critical or exposed enough for us to really spend too much time planning workarounds or suggesting changes to the specification.

    At that time we really didnt think that there would be such a huge number of users for what we thought was something with a very limited audience.

  8. Re:This is ridiculous! by jrockway · · Score: 3, Insightful

    Wow. It is about time to stop buying Cisco products. Their idea of security is calling people who help them make it better "terrorists". No fucking thanks.

    --
    My other car is first.
  9. Re:Cliff's Notes: Start Using TCP Sequence Number by w1r3sp33d · · Score: 2, Insightful
    I just ran my sniffer and inspected a icmp echo request. I see the ICMP seq#, there is no TCP header on the packet. While I can see this being a potential tool to defend against a barage of ICMP echo replies (or any reply protocol under ICMP) but I still cannot see how it would be a usefull tool in other scenarios, e.g. if I were sending Echo's or Information Requests.

    Regardless I see greater challenges for ICMP with much more complicated answers needed. Until then I still see old school acl's as the best prevention, I will have to owe everyone some change on those two cents.

  10. Typical science by pstreck · · Score: 2, Insightful
    here we have a 20 year old protocol, a part of the Internet infrastructure that hasn't been touched in 10 years and we were all sure was right, and now is cast in doubt.

    This seems very typical of science in all fields. An unproven theory goes unrebutted for some time untill someone realizes we made a big mistake. The world was once flat remember guys! One thing this should point us to is that no matter how solid something appears, it will always be broken whether it be a theory, a protocol or yes even the fortress known as open bsd *duck* Jokes a side, remember nothing is secure.

    --

    Later,
    Phil
  11. Holy timewarp batman! by NotWulfen · · Score: 3, Insightful

    IRC networks have been plagued with ICMP unreachables for years

    http://www.rs-labs.com/papers/tacticas/ircutils/pu ke.html

    nothing new to see here, move along.

    1. Re:Holy timewarp batman! by RAMMS+EIN · · Score: 2, Insightful

      ``nothing new to see here, move along.''

      Well, no. The point is not that there is something new here, but that there isn't. These vulnerabilities are older than the www, but they still haven't been addressed properly. Now, that isn't exactly a new thing either, but it's good to give some attention to it, so that, maybe, they will be addressed soon.

      And there are interesting philosophical implications, too. Fundamentally, these messages can be spoofed to cause problems. You get the bad with the good. We probably want something like ICMP. So then, how far should we go to make it difficult to exploit? Remember, difficult to exploit here means difficult to implement, which means Mistakes Will Be Made, which hurts usability, and probably security, too. Law enforcement is starting to feel like a good option to me.

      --
      Please correct me if I got my facts wrong.
  12. Theo by Anonymous Coward · · Score: 5, Insightful
    Theo may be a belligerent asshole, no question. But he is a belligerent asshole working for my side.

    I run OpenBSD stable, and some belligerent asshole stays up all night worrying about the best possible response to the latest threats. Sure, I will buy a CD http://openbsd.org/items.html#37.

    And Theo, thank you for being a belligerent asshole for the good guys.

  13. Re:This is ridiculous! by hethinkstoomuch · · Score: 2, Insightful
    It's really sad to realize that Cisco and other big players at this level think that they are justified in trying to patent such core infrastructure technologies or protocols (fixes).

    If Cisco wants to "Empower the Internet Generation" then they should show a little more old-fashioned Internet Netiquette and proactively share new ideas and address security issues openly with the community rather than cowardly behind lawyer's doors. (Afterall, haven't they too benefited from all the opensource code they've integrated it into their products?)

    Take a millicent, give a millicent.

  14. However,.... by WindBourne · · Score: 2, Insightful

    it is not illegal to write the code. It would be useful to see if this hack does work. If so, then it will point out weaknesses in the networks as well as an issue with the protocol.

    Now, with that said, Yeah, it is theft, and it is federal. So, I am sure that s?he will not be using illegally. Or at least, I hope not.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  15. Re:Stop the Paranoia!!!!!!!! by DrSkwid · · Score: 2, Insightful

    becuase you don't need to physically go to a computer to break into it

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  16. Re:Cliff's Notes: Start Using TCP Sequence Number by Anonymous Coward · · Score: 1, Insightful

    Idiots like you are why we can't use PMTU discovery reliably.

    Get it through your thick skull: ICMP != PING

    ICMP is the *PROTOCOL* that ping uses, but other things use ICMP as well.