36 What are ICMP redirects and redirect bombs? (Various Attacks - Firewalls)
Description
This article is from the Firewalls FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum mjr@nfr.com with numerous contributions by others.
36 What are ICMP redirects and redirect bombs? (Various Attacks - Firewalls)
An ICMP Redirect tells the recipient system to over-ride something in its
routing table. It is legitimately used by routers to tell hosts that the
host is using a non-optimal or defunct route to a particular destination,
i.e. the host is sending it to the wrong router. The wrong router sends the
host back an ICMP Redirect packet that tells the host what the correct route
should be. If you can forge ICMP Redirect packets, and if your target host
pays attention to them, you can alter the routing tables on the host and
possibly subvert the security of the host by causing traffic to flow via a
path the network manager didn't intend. ICMP Redirects also may be employed
for denial of service attacks, where a host is sent a route that loses it
connectivity, or is sent an ICMP Network Unreachable packet telling it that
it can no longer access a particular network.
Many firewall builders screen ICMP traffic from their network, since it
limits the ability of outsiders to ping hosts, or modify their routing
tables.
Before you decide to completely block ICMP, you should be aware of how the
TCP protocol does ``Path MTU Discovery'', to make certain that you don't
break connectivity to other sites. If you can't safely block it everywhere,
you can consider allowing selected types of ICMP to selected routing
devices. If you don't block it, you should at least ensure that your routers
and hosts don't respond to broadcast ping packets.
Continue to:
My Books
