While the use of rate-limits mitigates a flood of ICMP from entering the border, it does not address the need for the filtering of individual ICMP message types. That is the purpose of this guide.
ICMP packets have a TYPE and CODE. The TYPE defines the ICMP message that is being passed. In certain cases, a TYPE may have several sub messages, called a CODE. For example, a "destination unreachable" message might have a TYPE of 3 and a CODE of 3. This would be the ICMP message generated when a port on the target host is unreachable. When a ICMP message requires only a TYPE, the CODE will be set to 0. Further details on the ICMP packet contents and messages can be found in RFC792 (noted below).
While such filtering may be highly site specific, this document provides a guideline for the filtering of ICMP messages. Many documents recommend that all ICMP be blocked; this is technically specious. ICMP is a protocol specifically designed to report errors, and is thus a necessary protocol on any efficient IP network. ICMP provides more than simply a method for miscreants to use to launch DoS (Denial of Service) attacks against sites.
The following ICMP messages are the minimum set that should be permitted
to enter and exit the border. Note that this is only a RECOMMENDATION.
Site requirements may create additions, deletions, or changes to this list.
TYPE CODE COMMENT
ICMP_ECHO 8 0 /* Ping. */
ICMP_ECHOREPLY 0 0 /* Ping response. */
ICMP_UNREACH 3 4 /* ICMP_UNREACH_NEEDFRAG - Used by Path */
/* MTU to determine the optimal MTU setting. */
ICMP_TIMXCEED 11 0 /* TTL expired in transit. Used by UNIX */
/* traceroute and Windows tracert. Note that */
/* UNIX traceroute also uses a high UDP port. */
/* This message is also important when */
/* routing loops occur. */
All other ICMP messages should be blocked (again, depending on the requirements of the site). The placement of these filters is a site specific decision. Certainly these filters can be enacted in a firewall. These filters can also be enacted in a Cisco router, which has the added capability of blocking all ICMP fragments. This would be done with the following Cisco IOS syntax. I use the "any any" because it is simple and easier than adding an ACL for each netblock. I, like many of you, suffer from Discontiguous Netblock Allocation Syndrome. :-) As Hank said, KISS - Keep It Simple, Stupid.
access-list 2001 remark Specifically block ICMP fragments
access-list 2001 deny icmp any any fragments
access-list 2001 remark Permit inbound ping.
access-list 2001 permit icmp any any echo
access-list 2001 remark Permit inbound ping response.
access-list 2001 permit icmp any any echo-reply
access-list 2001 remark Permit Path MTU to function.
access-list 2001 permit icmp any any packet-too-big
access-list 2001 remark Permit time exceeded messages for traceroute and loops.
access-list 2001 permit icmp any any time-exceeded
access-list 2001 remark And explicitly block all other ICMP packets
access-list 2001 deny icmp any any
access-list 2001 remark Permit everything else (or add additional ACLs here).
access-list 2001 permit ip any any
ICMP is a necessary and powerful protocol that provides error messaging for the IP protocol. While commonly misunderstood, the ICMP protocol is not strictly a haven for miscreants. Proper configuration of ICMP filters and rate limiting will ensure the continued efficient operation of an IP network.
[ Documents ] [ Home ]
Rob Thomas, robt at cymru.com, http://www.cymru.com