Showing posts with label icmp. Show all posts
Showing posts with label icmp. Show all posts

Tuesday, December 17, 2013

ICMP Fragmentation and Firewall

Following an installation of new firewalls, I was facing an issue of communication between a CMC (Central Management Console) and a Riverbed Steelhead.
In a normal way, the CMC open a SSH session to push rules to the Riverbed. But after the installation, it was not working anymore. I have investigated and found the root cause of this issue.

Packets between the CMC and the Riverbed are fragmented. Without firewalls, CMC and Riverbed use PMTU in order to discover the MTU small enough to traverse the entire path without fragmentation.
In a first step, Path MTU uses the option Don't Fragment (DF). When a packet is sent with this option, it cannot been fragmented. If a router with a smaller MTU receives this packet, it will drop it and send to the sender an ICMP Fragmentation Needed. This step is repeated until the source has reached the destination without fragmentation.

As you can see below, our problem come from this ICMP Fragmentation Needed packet.
When the steelhead sends a packet (with option Don't fragment) to the CMC, a router on the path sends a ICMP fragmentation Needed. However, the new firewall filters this packet and now the handshake failed.






Workaround:

  • Allow ICMP option on the firewall.
  • Reduce MTU on primary interface of the Riverbed.

Tuesday, June 28, 2011

Filtrage ICMP Redirect sous Windows XP

Le but de ce billet est de décrire la méthode pour que Windows XP ne subisse pas les attaques par ICMP redirect. Petit rappel sur l'ICMP redirect:
L'attaque par ICMP redirect consiste à envoyer des messages (type ICMP 'redirect') à une cible. Le message généré proposera à la victime de passer par un nouveau chemin pour joindre un réseau. De cette manière la machine ne pourra joindre un réseau ou une machine puisque la gateway proposée sera erronée.

Ci-dessous vous trouverez un exemple d'ICMP Redirect généré via scapy:


ip=IP()
ip.src='192.168.20.1'
ip.dst='192.168.20.66' => poste attaqué
icmp=ICMP()
icmp.type=5
icmp.code=1
icmp.gw='192.168.20.100' => GW erronée
ip2=IP()
ip2.src='192.168.20.66' => poste attaqué
ip2.dst='100.100.100.0' => route modifiée
ip2.display
send(ip/icmp/ip2/UDP())


Afin de ce prémunir de ce type d'attaque sur un poste Windows XP, il est cependant possible de modifier la clé de registre Ci-dessous:

HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services \Tcpip\Parameters
EnableICMPRedirect

En passant la valeur à 0 (qui est par défaut à 1), le poste n'interprètera pas ce type de message.