ICMP redirect downed host |
---|
Risk Level: | ![]() |
Check or Attack Name: ICMP Redirect |
---|---|---|
Platforms: | Unix, NetWare: 3.12, OS-9 | |
Description: | ICMP redirects targeted at hosts with weaker TCP/IP stack implementations have been shown to cause system failures and other adverse affects. NetWare, Windows, and especially embedded systems like OS-9 have been shown to be very susceptible to attacks using ICMP redirects. Warning: Various networked embedded controllers may hang or shut down if they receive an ICMP redirect with code=4. If your network contains controllers attached to automation equipment, manufacturing equipment, HVAC (Heating, Ventilation, and Air Conditioning) equipment, and medical equipment, do not perform ICMP redirects. See the ISS Security Advisory listed in the references. |
|
Remedy: | Many firewall builders block external ICMP traffic from their internal network, since it limits the ability of outsiders to ping hosts or modify routing tables. Protecting against external ICMP redirects is usually accomplished at the router or the firewall. You should enable the anti-redirect feature on your Internet router or firewall. If your router or firewall does not support anti-redirects, consider upgrading as soon as possible or contact the vendor for alternatives. |
|
References: | Internet and Firewall Security, What are ICMP redirects and redirect bombs?, http://slis-two.lis.fsu.edu/~security/Firewall/page17.htm The NT Shop, ICMP Redirects, http://www.ntsecurity.net/security/icmp-redirects.htm ISS Security Advisory #14, ICMP Redirects Against Embedded Controllers, http://xforce.iss.net/alerts/advise14.php3 |
![]() Know Your Risks |