Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
HP.com home
 HP Tru64 UNIX and TruCluster Server Version 5.1B-4: Patch Summary and Release Notes > Chapter 1 Enhancements, Improvements, and Features

Kernel Attributes Protect Against ICMP Security Vulnerability
» 

»Table of Contents
Content starts here
spacerspacerspacer
spacer
spacer
  		 
 

A new kernel attribute delivered in this kit, icmp_tcpseqcheck, and an existing attribute, icmp_rejectcodemask, can protect your system against potential Internet Control Message Protocol (ICMP) security vulnerabilities. This release note describes these attributes and provides background information on the security issues. For information about setting these attributes, see the revised sys_attrs_inet(5) reference page delivered in this kit.

An overview of these attributes follows:

  • icmp_tcpseqcheck

    Mitigates ICMP attacks against the Transmission Control Protocol (TCP) by checking that the TCP sequence number contained in the payload of the ICMP error message is within the range of the data already sent but not yet acknowledged. An ICMP error message that does not pass this check is discarded. This behavior protects TCP against spoofed ICMP packets.

  • icmp_rejectcodemask

    A bitmask that designates the ICMP codes that the system should reject. The icmp_rejectcodemask attribute can be used to reject any ICMP packet type, or multiple masks can be combined to reject more than one type.

    In the Requirements for Internet Protocol (IP) Version 4 Routers (RFC 1812), research suggests that the use of ICMP Source Quench packets is an ineffective (and unfair) antidote for congestion. HP therefore recommends using the icmp_rejectcodemask attribute to ignore ICMP Source Quench packets.

The ICMP type codes are in /usr/include/netinet/ip_icmp.h.

The ICMP (RFC 792) is used in the Internet Architecture to perform fault-isolation and recovery (RFC 816), which is the group of actions that hosts and routers take to determine if a network failure has occurred.

The industry standard TCP specification (RFC 793) has a vulnerability whereby ICMP packets can be used to perform a variety of attacks such as blind connection reset attacks and blind throughput-reduction attacks:

  • Blind connection reset attacks can be triggered by an attacker sending forged ICMP "Destination Unreachable, host unreachable" packets or ICMP "Destination Unreachable, port unreachable" packets.

  • Blind throughput-reduction attacks can be caused by an attacker sending a forged ICMP type 4 (Source Quench) packet.

Path MTU Discovery (RFC 1191) describes a technique for dynamically discovering the MTU (maximum transmission unit) of an arbitrary internet path. This protocol uses ICMP packets from the router to discover the MTU for a TCP connection path. An attacker can reduce the throughput of a TCP connection by sending forged ICMP packets (or their IPv6 counterpart) to the discovering host, causing an incorrect Path MTU setting.



New EMX Subsystem Attribute Turns on LLER for Tape I/O
  		 


caa_relocate Command Improved  
Printable version
Privacy statement Using this site means you accept its terms
© 2006 Hewlett-Packard Development Company, L.P.