[unisog] Necessary ICMP traffic and the SANS/FBI top 20 Vulnerabilities

Mike Cojocea msc39 at georgetown.edu
Mon Jun 16 19:00:57 GMT 2003

I think first off all we should make a distinction between DMZ and
INSIDE networks.

You will have to be pretty restrictive with the INSIDE and you could be
a bit more lax with the DMZ.

Blocking all ICMP datagrams is not always a good idea. To INSIDE you
would need to allow:
- Echo reply;
- Type 3 Destination Unreachable;
- TTL Exceeded.  

Also You should allow fragmentation needed which is necessary for Path
MTU Discovery. 

I would certainly block ICMP Source Quench, router discovery protocol,
and ICMP redirects.
Using Source Quench somebody can mount a very nice DOS attack. 

Mike Cojocea, CISSP

Network Security Analyst
Georgetown University
University Information Services

msc39 at georgetown.edu

"Mayne, Jim" wrote:
> In the SANS/FBI top 20 vulnerabilities they suggest blocking incoming ICMP echo requests and outgoing replies as well as blocking outgoing destination unreachable (except for fragmentation needed) messages.
> Given all the other ICMP messages available to intruders I am curious if a better approach would not be to allow only fragmentation needed (3-4) and source quench in/out of your network. It seems that any others should only be passing between nodes inside your network.
> Is this not true?
> Thanks,
> Jim Mayne
> Sr. Network Engineer
> Texas Christian University
> j.mayne at tcu.edu
> (817) 257-6843


More information about the unisog mailing list