Thursday, July 07, 2005

ICMP Attacks Against TCP Revisited

Slashdot alerted me to a KernelTrap article about Fernando Gont at the recent OpenBSD hackathon. I mentioned Gont's work in April. The Slashdot post has some surprisingly good commentary, like this historical perspective and this summary.

Three aspects of the KernelTrap story bother me. First, Cisco sounds like it is more interested in patenting a fix for the problem, and less interested in getting the problem fixed in a timely manner. Second, the disclosure process sounds broken, with Gont now preferring to avoid dealing with vendors entirely. Third, Cisco sounds like one of its employees needs a real attitude adjustment:

"'They blamed me for submitting my work,' Fernando said in exasperation. 'One of Cisco's managers of PSIRT said I was cooperating with terrorists, because a terrorist could have gotten the information in the paper I wrote!'"

Sorry, terrorists attack planes, buildings, and (tragically in Spain and now the UK) trains and subway systems. They do not use ICMP to degrade TCP connections.

3 comments:

Anonymous said...

Useful to browse are also the very well known Ofir's papers related to ICMP usage in scanning.

Richard Bejtlich said...

Tom Ptacek's done some additional analysis of these issues here.

Anonymous said...

Tom Ptacek cleary does not understand the problem, and cannot read a specification.

The IETF specifications say "the entire IP header plus the first 64 bits of the IP payload" are included. It never mentions "TCP headers".

And there is no RFC that recommends to perform checks on the received ICMP messages.

It's really a shame he call himself a "researcher".