| |
Firewall Testing About VESARiA |
|
|
4.2 What are ICMP redirects and redirect bombs?
An ICMP Redirect tells the recipient system to over-ride something in
its routing table. It is legitimately used by routers to tell hosts
that the host is using a non-optimal or defunct route to a particular
destination, i.e. the host is sending it to the wrong router. The
wrong router sends the host back an ICMP Redirect packet that tells
the host what the correct route should be. If you can forge ICMP
Redirect packets, and if your target host pays attention to them, you
can alter the routing tables on the host and possibly subvert the
security of the host by causing traffic to flow via a path the network
manager didn't intend. ICMP Redirects also may be employed for denial
of service attacks, where a host is sent a route that loses it
connectivity, or is sent an ICMP Network Unreachable packet telling it
that it can no longer access a particular network.
Many firewall builders screen ICMP traffic from their network, since
it limits the ability of outsiders to ping hosts, or modify their
routing tables.
Before you decide to completely block ICMP, you should be aware of how
the TCP protocol does ``Path MTU Discovery'', to make certain that you
don't break connectivity to other sites. If you can't safely block it
everywhere, you can consider allowing selected types of ICMP to
selected routing devices. If you don't block it, you should at least
ensure that your routers and hosts don't respond to broadcast ping
packets.
|
 |
Vesaria
3640 Fords Lane, Suite D
Baltimore, MD 21215
443 - 501 - 4044
|
