Examining ICMP Flaws

← Back to Stories (view on slashdot.org)

Posted by samzenpus on Wednesday July 6, 2005 @01:00PM from the under-the-microscope dept.

An anonymous reader writes "A recent internet-draft pointed out a number of security flaws in the design of the ICMP protocol. Most open source projects and vendors have addressed the flaws to some level, but this interesting article on KernelTrap examines the true extent of the problem, and how so far only OpenBSD has implemented all possible counter-measures. Theo de Raadt is quoted saying, "here we have a 20 year old protocol, a part of the Internet infrastructure that hasn't been touched in 10 years and we were all sure was right, and now is cast in doubt.""

8 of 238 comments (clear)

Min score:

Reason:

Sort:

Cliff's Notes: Start Using TCP Sequence Number by DanielMarkham · 2005-07-06 13:07 · Score: 4, Interesting

The spec calls for a sequence number in the block. Vendors aren't checking it. There are a lot of technical details about how TCP connections can be slowed down by a ICMP attack, but if the vendors checked the sequence number it would make it almost impossible to implement these attacks.
Researcher found the bugs, tried to work with major vendors. Lawyers got involved, turns out Cisco had been working on a fix for years (so they say). Seems like vendors are more concerned about getting credit than fixing the bugs.
Reading between the lines, I take it the major vendors have patched their stacks and life is good. Linux implemented all the fixes for all the errors, but addressing the sequence number should be enough for now.
Makes me wonder: what did the guys writing the code back in the 80s think about the sequence number, anyway? It was obviously there for some reason. I guess because it wasn't part of the "official" spec it was ignored? Shame, that. That was back in the day when people probably didn't think of ICMP being used as a cyber attack vector.

Smart Identification Of Cost Savings, One Key to Program Management
This is ridiculous! by garcia · 2005-07-06 13:10 · Score: 4, Interesting

While the patent issue was happening with Cisco, CERT/CC created a mailing list to allow vendors to communicate amongst themselves about the newly discovered vulnerability. "They blamed me for submitting my work," Fernando said in exasperation. "One of Cisco's managers of PSIRT said I was cooperating with terrorists, because a terrorist could have gotten the information in the paper I wrote!"

Of course. We know of problems but we are going to go the Security by Obscurity route and then when the cover is blown we'll claim they are supporting terrorism instead of admitting that we were wrong!

If the terrorism route doesn't work we always have the patent on the issue to sue him with!

Way to fucking go, thanks Cisco!
1. Re:This is ridiculous! by dcam · 2005-07-06 19:37 · Score: 3, Interesting
  
  That is only half of it, read the full article for the way cisco behaved:
  
  He continued to reply thoroughly to all their questions, until two months later when he received an email from Cisco's lawyer claiming that Cisco held a patent on his work. He asked their lawyer for specifics, but they refused to reveal any details. ...
  
  Fernando went on to point out that from his experience vendors seem to be more concerned about who gets credit for finding a flaw, rather than about actually fixing it. Fernando explained, "Cisco was worried about not giving me credit because they claimed to have been working on the problem for four years. They offered to set up a meeting with some people of Cisco Argentina to show me documentation that would prove they had been working on the Path MTU Discovery attack for more than a year. It didn't happen. ...
  
  One week prior to the eventual discloser, Fernando received a call from the CTO of Cisco Argentina who asked him for a copy of his resume. "He said he wanted to have a meeting with me, telling me they might have a job for me," Fernando shrugged. "The meeting was delayed a few times, then I never heard from him again. I wouldn't have thought much of it, but I mentioned it to other people and it turns out they'd had similar experiences. It seems this is a common practice for Cisco to offer someone work in the hopes you'll not talk to the media when the security issues are disclosed."
  
  Way to go Cisco!
  
  --
  meh
Interesting ICMP exploit by OverCode@work · 2005-07-06 13:51 · Score: 5, Interesting

Often when Internet providers disable your cable/DSL/LAN connection for security or billing reasons, they just block TCP and UDP but leave ICMP available. I've observed Georgia Tech's ResNet to do this, and reportedly Adelphia's cable ISP does the same. You can ping to your heart's content, but can't send data.

Except that you can.

A ping packet (ICMP echo request) can have a completely arbitrary payload. You can put any data you want there. You could even tunnel IP inside it. You would have to have to have a friendly server on the outside to receive these packets and forward the contents, but that's easily done.

This trick might also be useful for tunnelling past content filters. I don't think any of them scan ICMP packets.

I'm writing a simple userspace IP stack (gets packets from the tun/tap interface), and I intend to try this out once it's a bit more mature.

-John
Re:Flaws with ICMP by Brian4120 · 2005-07-06 15:15 · Score: 4, Interesting

do you post just for the hell of posting? Brilliant.

--
13 million whoo!
Re:Flaws with ICMP by Adult+film+producer · 2005-07-06 15:19 · Score: 3, Interesting

Congratulations on having the 13,000,000 millionth post :)
The Real Problem With Internet Security by grumling · 2005-07-06 16:33 · Score: 3, Interesting

From the article: On the other hand, if it were true, then it would mean that Cisco takes about two years to address these issues. I would be concerned about this if I were one of their customers.
This is the biggest problem with large companies. Sure, it is has been pointed out adnausium over the years in various sources -The Mythical Man Month and The Innovators Dilemma being two very good ones. It is too bad that our network is now being ruled by bandits because of it. MS has become everything that it hated about IBM. Cisco has so much hardware out there that IOS has to be tested on everything before a new release. How can it be possible that when FOSS gets updated and corrected quicker? Of course, I work for a large company, and I see how long it takes to get a simple task completed. I'm guessing it has a lot to do with modivation. The open source folks really do believe in their product. For the people working in big companies, it is just a paycheck.

Of course, there's always this possibility

--
"Well, good luck finding a judge that doesn't run a bestiality site."
RFCs are never modified by JohnQPublic · 2005-07-07 00:36 · Score: 3, Interesting

The whole idea behind the RFC system was that the documents, once published, are unchanging. Just like every standard ANSI and ISO publish. There can be and often are documents that revise the protocol, but that's the nature of the standards game and even the ISO does it. Despite common references to ISO standards by number, their proper names are ISO nnnnn:yyyy. For example, SGML is ISO 8879:1986, not ISO 8879, and it has been updated three times since it was issued, by ISO 8879:1986/Cor 1:1996, ISO 8879:1986/Cor 2:1999 and ISO 8879:1986/Amd 1:1988.

And "back in the day", if you didn't implement part of an RFC for a protocol you implemented, you got lambasted for it. Search around the net for the early 1908s discussions of the TCP Bakeoffs if you want to see how serious we were about it.