Slashdot Mirror

← Back to Stories (view on slashdot.org)

Examining ICMP Flaws

Posted by samzenpus on from the under-the-microscope dept.

An anonymous reader writes "A recent internet-draft pointed out a number of security flaws in the design of the ICMP protocol. Most open source projects and vendors have addressed the flaws to some level, but this interesting article on KernelTrap examines the true extent of the problem, and how so far only OpenBSD has implemented all possible counter-measures. Theo de Raadt is quoted saying, "here we have a 20 year old protocol, a part of the Internet infrastructure that hasn't been touched in 10 years and we were all sure was right, and now is cast in doubt.""

5 of 238 comments (clear)

  1. Re:ICMP flaw #1 on Linux: it's in the kernel by A+beautiful+mind · · Score: 5, Insightful

    The scary thing is that the parent is talking about ICMP without actually knowing what it is.

    You see, this is one of the failures of the moderation system: when someone posts something like this, it seems intelligent because it mentions a lot of familiar things, but overally it's not even making sense. The problem is that moderators work like this:

    Argument: check
    Clear line of thinking: check
    Windows comparison: check

    The problem is that this checklist does not include VERIFYING THINGS like what ICMP is. This is how the parent got +5, insightful while it's one of the most misinformed posts i've seen in a while.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  2. Re:ICMP flaw #1 on Linux: it's in the kernel by Trick · · Score: 5, Insightful

    How the heck did this get modded insightful?

    ICMP runs on a different layer than all of the services you mentioned. ICMP is a network layer protocol (like IP and IPv6, also called "layer 3"), and all the protocols you mentioned are application layer (layer 7) protocols. There's no direct comparison to be made to any of the protocols (HTTP, SMB, FTP and NFS) you mentioned.

    If you want to compare having ICMP in the kernel to other sinilar protocols, your best argument (if you can call it that) is that we should have *IP*, another layer 3 protocol, "running as an ordinary user process, not root, and especially not as a kernel process." Obviously, IP *is* included in the kernel, for plenty of good reasons. Comparing ICMP to application-layer protocols like HTTP holds no weight whatsoever, unless you're completely ignorant of network fundamentals.

    How it got modded to +5 Insightful baffles me. I'd have thought this crowd would have a better handle on the basics.

  3. Interesting ICMP exploit by OverCode@work · · Score: 5, Interesting

    Often when Internet providers disable your cable/DSL/LAN connection for security or billing reasons, they just block TCP and UDP but leave ICMP available. I've observed Georgia Tech's ResNet to do this, and reportedly Adelphia's cable ISP does the same. You can ping to your heart's content, but can't send data.

    Except that you can.

    A ping packet (ICMP echo request) can have a completely arbitrary payload. You can put any data you want there. You could even tunnel IP inside it. You would have to have to have a friendly server on the outside to receive these packets and forward the contents, but that's easily done.

    This trick might also be useful for tunnelling past content filters. I don't think any of them scan ICMP packets.

    I'm writing a simple userspace IP stack (gets packets from the tun/tap interface), and I intend to try this out once it's a bit more mature.

    -John

  4. Re:ICMP flaw #1 on Linux: it's in the kernel by Animats · · Score: 5, Informative
    Sigh.

    As someone who once implemented ICMP (in 1982, before BSD, even), I should say something.

    First, ICMP is a layer 3 protocol, like TCP and UDP. ICMP is IP protocol #1; TCP is #6 and UDP is #17.

    Second, it's quite feasible to put ICMP in user space. I'm writing this on a QNX system where it's in user space. My 1982 implementation was also in user space, as part of 3COM's UNET. Linux doesn't do it that way, but it's not fundamental that ICMP must be in the kernel. It needs to have a mechanism to pass messages to the other protocols, but that's a local message passing problem. But I'm not going to rehash the ever-growing monolithic kernel issue here.

    Third, we knew about many of those vulnerabilities back in the 1980s, but weren't as concerned about them because the Internet was a DoD/NSF operation. Destination Unreachable and Source Quench messages used to be taken more seriously than they are now. Destination Unreachable told you where the network was down, and Source Quench told you where it was congested, basic network management info back then. Today, nobody does network management that way and many TCP stacks don't do much, if anything, with ICMP information. I used to encourage the use of Source Quench for congestion management (see my RFC on this, from 1984), but it's far less appropriate today. Back then, we were concerned about packet loss through transmission errors, a frequent occurence with leased-line synchronous modems. So, when a packet was lost, the question was whether you should retransmit rapidly (appropriate for an error) or slowly (appropriate for congestion). Source Quench could disambiguate that situation. Today, it's assumed that packets are lost almost entirely through congestion, since the lower levels are of much better quality than they used to be.

  5. Theo by Anonymous Coward · · Score: 5, Insightful
    Theo may be a belligerent asshole, no question. But he is a belligerent asshole working for my side.

    I run OpenBSD stable, and some belligerent asshole stays up all night worrying about the best possible response to the latest threats. Sure, I will buy a CD http://openbsd.org/items.html#37.

    And Theo, thank you for being a belligerent asshole for the good guys.