ICMP Packet Filtering v1.2

By Rob Thomas, robt at cymru.com, 12 MAR 2003

[ Documents ] [ Home ]

Changes in Version 1.2

Removed source quench. Thanks, John and Steve. :)
Updated the comments for the sake of clarity.

Changes in Version 1.1

Changed link to IANA ICMP list. Thanks, Jan! :)

Introduction

When the Secure IOS Template was created, rate limiting of ICMP (Internet Control Message Protocol) was introduced to mitigate the effects of certain ICMP based attack types. Please investigate the use of rate-limiting of various protocols on your network, both on ingress and egress. You may save your bandwidth and the bandwidth of others if your network can support rate-limits. As always, KNOW YOUR NETWORK! Do not blindly apply rate-limiting, this template, or any other guides without understanding how they will impact your site.

While the use of rate-limits mitigates a flood of ICMP from entering the border, it does not address the need for the filtering of individual ICMP message types. That is the purpose of this guide.

ICMP packets have a TYPE and CODE. The TYPE defines the ICMP message that is being passed. In certain cases, a TYPE may have several sub messages, called a CODE. For example, a "destination unreachable" message might have a TYPE of 3 and a CODE of 3. This would be the ICMP message generated when a port on the target host is unreachable. When a ICMP message requires only a TYPE, the CODE will be set to 0. Further details on the ICMP packet contents and messages can be found in RFC792 (noted below).

While such filtering may be highly site specific, this document provides a guideline for the filtering of ICMP messages. Many documents recommend that all ICMP be blocked; this is technically specious. ICMP is a protocol specifically designed to report errors, and is thus a necessary protocol on any efficient IP network. ICMP provides more than simply a method for miscreants to use to launch DoS (Denial of Service) attacks against sites.

Additional References

It is recommend that the reader peruse the following documentation. While the author of this paper does not necessarily agree with the contents of each document, it is important that the implementor of ICMP filtering understand the points and counterpoints of all filtering discussions.

RFC792 - Internet Control Message Protocol, by J. Postel.
TCP/IP Illustrated, Volume I, by Richard Stevens.
ICMP Usage in Scanning, by Ofir Arkin.
/usr/include/netinet/ip_icmp.h - Header file for UNIX implementations of ICMP.
IANA ICMP Type Numbers - Definitive list of ICMP types and codes.

Credits

My thanks to the folks who have taken the time to review this article, offer suggestions, and the like.

Steve Gill
Stephen Kanclerowicz
Neil Long
Nils Magnus
Jan Meijer
Klaus Moeller
Teun Nijssen
Hank Nussbacher
And, of course, the FIRST community.

Allowed Types and Codes

Border routers should be configured to ignore redirects and block directed broadcast (smurf attack). This is detailed in the Secure IOS Template.

The following ICMP messages are the minimum set that should be permitted to enter and exit the border. Note that this is only a RECOMMENDATION. Site requirements may create additions, deletions, or changes to this list.

NAME             TYPE    CODE COMMENT
ICMP_ECHO           8       0 /* Ping. */
ICMP_ECHOREPLY      0       0 /* Ping response. */
ICMP_UNREACH        3       4 /* ICMP_UNREACH_NEEDFRAG - Used by Path */
                               /* MTU to determine the optimal MTU setting. */
ICMP_TIMXCEED      11       0 /* TTL expired in transit. Used by UNIX */
                               /* traceroute and Windows tracert. Note that */
                               /* UNIX traceroute also uses a high UDP port. */
                               /* This message is also important when */
                               /* routing loops occur. */

All other ICMP messages should be blocked (again, depending on the requirements of the site). The placement of these filters is a site specific decision. Certainly these filters can be enacted in a firewall. These filters can also be enacted in a Cisco router, which has the added capability of blocking all ICMP fragments. This would be done with the following Cisco IOS syntax. I use the "any any" because it is simple and easier than adding an ACL for each netblock. I, like many of you, suffer from Discontiguous Netblock Allocation Syndrome. :-) As Hank said, KISS - Keep It Simple, Stupid.

access-list 2001 remark Specifically block ICMP fragments
access-list 2001 deny icmp any any fragments
access-list 2001 remark Permit inbound ping.
access-list 2001 permit icmp any any echo
access-list 2001 remark Permit inbound ping response.
access-list 2001 permit icmp any any echo-reply
access-list 2001 remark Permit Path MTU to function.
access-list 2001 permit icmp any any packet-too-big
access-list 2001 remark Permit time exceeded messages for traceroute and loops.
access-list 2001 permit icmp any any time-exceeded
access-list 2001 remark And explicitly block all other ICMP packets
access-list 2001 deny icmp any any
access-list 2001 remark Permit everything else (or add additional ACLs here).
access-list 2001 permit ip any any

Conclusion

ICMP is a necessary and powerful protocol that provides error messaging for the IP protocol. While commonly misunderstood, the ICMP protocol is not strictly a haven for miscreants. Proper configuration of ICMP filters and rate limiting will ensure the continued efficient operation of an IP network.

[ Documents ] [ Home ]

Rob Thomas, robt at cymru.com, http://www.cymru.com