Un-Official Guide to Secure ICMP Packet Filtering

(applicable to firewalls, routers, and/or other packet-filtering devices)

Authors: Stuart Thomas and Vic Vandal

Original Publish Date: 1994

(revised content: 1995, revised format: various dates)

 

 

Echo and Echo Reply Messages - ICMP Code Type 8

Description: The echo (also called echo request) message is used to check if a host is up or down. When a host receives the request, it sends back an echo reply message. These messages are usually generated by a ping command, but may also be generated by a network management station that is polling the nodes of a network.

 

Firewall Issues: Echo requests can be used by an outsider to map your network.

• Allow the outgoing echo request and incoming echo reply
• Deny the incoming echo request and outgoing echo reply

 

 

Destination Unreachable Message - ICMP Code Type 3

Description: These messages are generated by hosts or intermediate routers in order to notify the initiator that a session cannot be established.

 

Firewall Issues: An outsider can force nodes of your network to generate these packets in order to obtain knowledge of your network.

• Allow the incoming message (for troubleshooting purposes)
• Deny the outgoing message

 

 

Source Quench Message – ICMP Code Type 4

Description: This message is generated by a host or a router when it wants the sender to slow down the rate at which it is sending packets. The IP stack passes this packet to the upper layers, and they are responsible for slowing the rate down.

 

Firewall Issues: This message could be used by an attacker (probably combined with IP spoofing) in order to make a very effective denial of service attack. Unfortunately it is more often a legitimate message. If filtered, problems may arise due to lost packets.

• Allow it to be sent and received, but also log the received messages for later analysis

 

 

Redirect Message – ICMP Code Type 5

Description: This message is generated by a router when it receives a packet from a host, and forwards the packet to another router that is on the same network as the host from which it received the packet (not the original sender, the last hop sender).

 

Firewall Issues: Redirect has (as described) a very specific legitimate use. However it can be abused by a cracker to subvert the routing table and thereby allow IP address spoofing.

Redirect is not supposed to cross a router (the packet is only sent when the sender and both routers are on the same physical network).

• Allow this packet to be sent and logged
• Deny the receiving of this packet
• Notify the owners of the machines to which you sent redirects so that they can correct their routing tables

 

 

Time Exceeded Message – ICMP Code Type 11

Description: Time to live exceeded is generated by a router when it has to forward a packet

with a time to live (TTL) value of zero. Fragment reassembly time exceeded is generated by a host when it does not receive all the fragments needed to reassemble a packet.

 

Firewall Issues: An attacker can use traceroute to find out which hosts are the routers in your network.

• Enable this for incoming packets so your hosts can perform error recovery
• For outgoing packets allow all fragment reassembly time exceeded messages, but not the TTL exceeded messages

 

 

Parameter Problem Message – ICMP Code Type 12

Description: This message is generated when a host that is processing a packet finds a problem in the header parameters that forces the packet to be discarded.

 

Firewall Issues: An outsider will gain no information with this packet.

• Allow it inbound and outbound in order to report problems

 

 

Time Stamp and Time Stamp Reply Message – ICMP Code Type 13

Description: The time stamp message is used to identify the time in milliseconds since midnight. It receives as an answer a time stamp reply message.

 

Firewall Issues: This protocol may be used by an attacker as a mapping tool (an alternative to ping).

• Deny it inbound and outbound

 

 

Information Request Message – ICMP Code Type 15

Description: This message is used by a host that is booted across the network, to learn in which IP network it is located. These messages are made obsolete by new protocols, like RARP, BOOTP and DHCP. Also RFC-1122 says that a host should not implement this protocol.

 

Firewall Issues: This message is for local networks only, so it does not need to cross a router. No Firewall should generate these requests, because it knows its IP interfaces.

• Deny it inbound and outbound

 

 

Address Mask Request and Address Mask Reply – ICMP Code Type 17

Description: The address mask request message is sent when a node wants to know the address mask of an interface.

 

Firewall Issues: This message can be used by outsiders to learn the topology of your network. There were also cases in which a TCP/IP stack took inappropriate actions when it received an unsolicited address mask reply.

• Deny it inbound and outbound

 

 

Router Advertisement and Router Solicitation Message – ICMP Code Type 9

Description: These messages are used by hosts in order to dynamically discover the routers

in a network. It is specified in RFC-1256, and the current status of the protocol is elective.

 

Firewall Issues: These messages are supposed to be for local networks only.

• Deny the messages inbound and outbound

 

 

Domain Name Request and Domain Name Reply Messages – ICMP Code Type 37

Description: These messages are used by hosts in order to learn the domain associated with an address.

 

Firewall Issues: The ICMP implementation of this is not currently used.

• Deny it inbound and outbound

 

 

Traceroute Message – ICMP Code Type 30

Description: This message is used in order to implement traceroute in a more efficient way. It is specified in RFC-1393. The current status of the protocol is experimental.

 

Firewall Issues: Could be used by an outsider to map your internal network.

• It can be allowed inbound
• Deny it outbound

 

 

Anything Else (everything NOT covered above)

• Block inbound and outbound