Sikkerhed omkring ICMP.

From: Morten Vinding Nielsen (none@mvn--metropol.dk.lh.bsd-dk.dk)
Date: Tue 02 Apr 2002 - 10:31:14 CEST 

Subject: Sikkerhed omkring ICMP.
To: bsd-dk@bsd-dk.dk
From: "Morten Vinding Nielsen" <none@mvn--metropol.dk.lh.bsd-dk.dk>
Date: Tue, 2 Apr 2002 10:31:14 +0200

Nok ikke så BSD specefikt men jeg aligevel:

Nu har jeg i et stykke tid hørt på argumenter for ikke at svare på ping
(ICMP) af sikkerhedsmæsige oversager, aligevel bliver mange af de store
sites, bla. yahoo.com, ved med at gøre det.

De argumenter jeg indtil nu har hørt gik mest på at man kunne se netværkets
opbygning ved at lave en traceroute, hvilket jeg mener er lidt latterligt,
men nu har jeg set et nyt argument, nemlig at man kan se hvilken intern tid
maskinen der svarer har, og det skulle være en sikkerheds brist fordi nogen
programmer bruger tiden til at regne forskellige ting som sequence numbers
ol. ud.

Hvis det virkelig skulle være en sikkerheds brist hvad så med fx. Poul
Hennings super præcise maskine er den så sikkerheds-mæsigt gennemhullet?
Jeg tror det næppe men er der ikke nogen der kan be- eller af-kræfte det?

Morten Vinding Nielsen

-----------
Fra en sikkerheds rapport:

tcp-ip
 ICMP Timestamp Request - ID: 82003 - CVE ID: CAN-1999-0524 (Back to top)
--------------------------------------------------------------------------------
Diagnosis:
ICMP (Internet Control and Error Message Protocol) is a protocol
encapsulated in IP packets. It's principal purpose is to provide a protocol
layer able to inform gateways of the inter-connectivity and accessibility
of other gateways or hosts. "ping" is a well-known program for determining
if a host is up or down. It uses ICMP echo packets. ICMP timestamp packets
are used to synchronize clocks between hosts.

Consequences:
Unauthorized users can obtain information about your network by sending
ICMP timestamp packets. For example, the internal systems clock should not
be disclosed since some internal daemons use this value to calculate ID or
sequence numbers (i.e., on SunOS servers).

Solution:
You can filter ICMP messages of type "Timestamp" and "Timestamp Reply" at
the firewall level. Some system administrators choose to filter most types
of ICMP messages for various reasons. For example, they may want to protect
their internal hosts from ICMP-based Denial Of Service attacks, such as the
Ping of Death or Smurf attacks.
However, you should never filter ALL ICMP messages, as some of them ("Don't
Fragment", "Destination Unreachable", "Source Quench", etc) are necessary
for proper behavior of Operating System TCP/IP stacks.

It may be wiser to contact your network consultants for advice, since this
issue impacts your overall network reliability and security.

Result:
time stamp of host: 10:44:19 GMT

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:19 CET