4

I see on this question (How can I stop Linux from sending ICMP "Destination Unreachable" responses?) that there was a lot of discussion pointing to the fact that you shouldn't turn off ICMP unreachable messages. I am wondering why and when you should? I too want to know how to do it. I know it breaks MTU path discovery but what else?

On cisco devices you can turn this on and off, there must be a reason. In their documentation it just says that turning it off is supposed to be for increased security as in it's harder to get information about your network? This is what the cisco documentation says. I need to implement the ability to turn this on and off on a switch for my company so I am learning about it. Regardless of the why's I still have to do it, but I'd like an informed answer on why to do it or not to give to others.

When I want to turn off ICMP redirects I do this:

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

Is there something similar for unreachables?

The user on the other thread did it like so:

iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP

is this a good way, then i could turn it on again by stopping this drop?

Should I be telling people that they don't need this feature?

EDIT: Online I see this:

An attacker could gather information’s about your network when scanning it,
like unused IP’s and networks. When working with (interface-) Access-Lists,
a deny statement triggers an ICMP Type 3     Code 9/10 message
(Network/Host is Administratively Prohibited). When disabling ICMP    unreachables 
on the interface where the ACL is applied, the deny statement 
acts like a ‘drop’ and does not reply.
Community
  • 1
Paul
  • 253
  • 3
  • 8

3 Answers3

6

From a very thorough and well-written answer about the same subject over at security.SE, which I highly recommend you to read:

At its core ICMP was designed as the debugging, troubleshooting, and error reporting mechanism for IP. This makes it insanely valuable so a lot of thought needs to into shutting it down. It would be a bit like tacking >/dev/null 2>&1 to the end of all your cron entries.

Source Quench / Redirect is pretty much obsolete and removed from modern networking devices. IPv6 requires ICMP to fully function.

The bottom line: Don't block anything unless you fully understand the implications. If I were to give you one advice, it would be to block icmp echo in your external firewall, and leave everything else open. But that is just my opinion.

Community
  • 1
pauska
  • 19,620
  • 5
  • 57
  • 75
  • +1 Good summary and reference link. I don't agree with blocking *echo*, and apparently Google doesn't either. But that's probably the smallest offense you could commit in blocking some part of ICMP. – Chris S Jun 04 '13 at 13:39
  • 1
    I don't block any ICMP at all, as I don't believe it really helps. Security through obfuscation had never really worked.. – pauska Jun 04 '13 at 13:54
  • Thanks I agree it is silly to turn it off, however now I have to do it anwyay as customers want it. I will just do: iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP. Hmm I wonder can I do it per vlan interface – Paul Jun 05 '13 at 10:34
2

Preventing your server from sending "destination unreachable" basically makes it mute to a majority of port scans, which increases security. However, not by much. It does break path discovery and there's no real reason to block it. There are many many ways to scan a server and that ICMP response is just one of them.

Nathan C
  • 15,059
  • 4
  • 43
  • 62
  • I see, there are other ways to see the information so this command is fairly useless. Still I have to implement the ability to turn it on and off. Thanks! – Paul Jun 04 '13 at 13:00
  • +1 If your router support rate limiting it's a good idea to limit ICMP response so you aren't the unwitting participant in a reflection attack. Otherwise, the information gleaned from ICMP is of little real value, and an attacker could find the information other ways anyway. – Chris S Jun 04 '13 at 13:30
  • Not replying to ICMP doesn't mute you from port scans, it just takes longer to find something that will answer.. – pauska Jun 04 '13 at 13:34
  • 1
    This is worthless for preventing port scans from giving useful information. Worse, it lets me probe the general outlines of your firewall, which is probably not what you want. – Michael Hampton Jun 04 '13 at 15:27
0

I think you have some mistakes. ICMP Redirect and ICMP Destination Unreachable is different.

ICMP Redirect should be disabled, because it is extremely easy to fake and an attacker can forge ICMP redirect packets basically.

ICMP Destination Unreachable is need for your host to do path MTU discover, disabled it can make some false positve with you host communication. But an attacker can also use it to discover your network topology.

The simple solution for you, is make your firewall deny all new incomming ICMP packet, only accept packets with ESTABLISHED state.

iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUPUT -i eth0 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -e eth0 -p icmp -j DROP

So your host can still do path MTU discover, and is almost "invisible" with some automatic scanner.

cuonglm
  • 2,386
  • 2
  • 16
  • 20
  • ICMP is stateless so it wouldn't work in this case. – Nathan C Jun 04 '13 at 12:31
  • Are you kiddy? Have you ever try this? – cuonglm Jun 04 '13 at 12:42
  • I really disagree with dropping ICMP in general. It does so much more than just discovering paths and that sort of thing. ICMP handles states differently - so you'd also need `--state RELATED` for the unreachable messages to even work. – Nathan C Jun 04 '13 at 12:49
  • Hi I know they are different, I was just wondering was there a similar way to turn them both off. What is this related part mean @NathanC? Anything wrong with just dropping destination-unreachable? – Paul Jun 04 '13 at 13:02
  • You can just switch it off then back on if you encounter issues. – Nathan C Jun 04 '13 at 13:05
  • @NathanC Is there a way to turn them off per interface? It says I can't use output with -i – Paul Jun 05 '13 at 10:53
  • nvm got it in the end – Paul Jun 05 '13 at 14:24