Hacker News new | past | comments | ask | show | jobs | submit login
Off-Path Network Traffic Manipulation via Revitalized ICMP Redirect (2022) [pdf] (usenix.org)
40 points by TechBro8615 10 months ago | hide | past | favorite | 8 comments

Yet another reason to implement BCP 38 on your network. https://www.ietf.org/rfc/bcp/bcp38.html

Someone needs to write "ICMP the good bits", because the traditional response of disable all ICMP isn't great.

Basically, you need: "destination unreachable", "packet too big", "time exceeded", "echo request/reply". Everything else is pretty much useless and/or harmful.

Why do you "need" echo request and reply, if you can basically get this functionality in a dozen different ways? Disabling pings is more or less security theater, when every pentester knows how to work around it and find live hosts.

Because they are useful for _you_. Ping utility is present everywhere (even on Windows), while nmap requires installation.

Well thats kinda what happened in IPv6 we were all supposed to move to long ago.

From the linked paper:

> As a result, our attacks can be easily extended to IPv6 net- works to manipulate a victim originator’s network traffic.

For IPv4, this could be mitigated on the host by making use of the 16 bit ID field. It is used together with the SRC-IP,DST-IP,PROTO tuple.

So if the host generated IDs on such a basis, maintaining a tuple indexed set of IDs (with some time window), then before any higher level validation is performed , a simple check that the ID in the embedded packet is in the correct range for the SRC/DST/PROTO combo would allow such packets to be discarded.

An additional bit could be maintained to indicate that an attack was detected, just in case some device tries to scan through the 16 bit range. Hence catching that on a per target basis.

This would allow the on local LAN case to be protected against, and would also serve to protect against the remote case, but that should really be handled by the edge router.

e.g. my home router currently shows a number of filtered inbound redirects:

      190 deny icmp any any redirect (542 matches)

For IPv6 one could probably perform a similar scheme, but using the flow-id field.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact