DoS Threat – Discussing ICMP Vulnerabilities

So, one of its weaknesses is the redirect mechanism. With it, attackers can control the routing of traffic. Let’s take a look at what’s going on here and how we can counteract it.

/ unspalsh.com / Caleb Jack

Heritage

The ICMP protocol is an important component of the TCP/IP stack. It is needed to report errors – for example, if the target service or host cannot accept the sent packets. Its also use network diagnostic utilities like ping or traceroute.

The protocol itself is quite old. It is described in the format RFC792 back in 1981. It is not surprising that during this time a number of vulnerabilities were found in it. For example, attackers can use ICMP to establish a hidden connection with the target computer and transfer data bypassing firewalls.

Just this year we found CVE-2023-23415 with a critical level of danger. It opens up the ability to remotely run code in some modern versions of Windows. True, for this the system had to have an application that listens to “raw sockets» (raw socket). Vulnerability fast fixed patch.

Another relatively recent vulnerability was discovered by members of the USENIX association, who study Unix-like systems. The problem is related to the ICMP redirect mechanism.

What’s the matter here

The ICMP redirect mechanism allows you to dynamically manage packet delivery routes. When the router discovers a new best path, it generates a special ICMP message asking it to update the routing table and sends it to the other side of the connection. A team of engineers from Tsinghua University in Beijing showedthat this mechanism contains a critical vulnerability.

Hackers can use a set of client stateless protocols (such as UDP, ICMP, GRE, IPIP, and SIT) to craft spoofed ICMP messages. By changing the source IP address, they are able to manipulate device traffic at their discretion and carry out DoS attacks.

As the researchers note, most modern operating systems keep several well-known UDP ports open by default – for example, for NTP, SNMP, DHCP, DNS and TFTP. An attacker can check their status before sending fake ICMP messages. The problem is relevant for both IPv4 and IPv6.

/unspalsh.com/Mathis Jrdl

At its core, an attack using the ICMP protocol is somewhat reminiscent of ARP-poisoning. However, researchers consider the former more dangerous because of its secrecy. Linux builds from version 2.6.20 and newer were at risk. For FreeBSD, the vulnerability has been relevant since version 8.2, and for Android, since 4.2. Tests also showed that more than 43,000 popular sites in 130 countries around the world are not protected from the vulnerability. DNS servers may also be under attack – 5% of them are not protected.

But is it possible to defend

It is possible to close a weak spot in the system if disable ICMP redirects for stateless protocols such as UDP, ICMP, GRE, IPIP, and SIT. But not worth it turn off full support for ICMP, as it is a useful tool for network diagnostics and correct handling of errors during packet transmission.

If we talk about the long term, then the residents of Hacker News in the topic thread urge implement the BCP 38 network security standard. It was described back in 2000 and prohibits the transmission of traffic that is not included in the network range of the Internet provider. Such an approach should restrict attacker’s capabilities not allowing conduct large-scale inter-network DoS attacks. However, its full implementation will require the joint efforts of operators.

On an IPv4 host, you can also protect yourself from attacks if use 16-bit ID field in association with SRC-IP, DST-IP, and PROTO. This method will create an additional layer of message authentication by comparing identifiers against a combination of three values. In theory, this approach can be extended to IPv6, just use the flow-id field.

Additional reading on the corporate blog VAS Experts:

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *