ICMP redirect downed host

Risk Level: Medium risk vulnerability  Medium

Check or Attack Name: ICMP Redirect

Platforms: Unix, NetWare: 3.12, OS-9
Description:

ICMP redirects targeted at hosts with weaker TCP/IP stack implementations have been shown to cause system failures and other adverse affects. NetWare, Windows, and especially embedded systems like OS-9 have been shown to be very susceptible to attacks using ICMP redirects.

Warning: Various networked embedded controllers may hang or shut down if they receive an ICMP redirect with code=4. If your network contains controllers attached to automation equipment, manufacturing equipment, HVAC (Heating, Ventilation, and Air Conditioning) equipment, and medical equipment, do not perform ICMP redirects. See the ISS Security Advisory listed in the references.

Remedy:

Many firewall builders block external ICMP traffic from their internal network, since it limits the ability of outsiders to ping hosts or modify routing tables. Protecting against external ICMP redirects is usually accomplished at the router or the firewall. You should enable the anti-redirect feature on your Internet router or firewall.

If your router or firewall does not support anti-redirects, consider upgrading as soon as possible or contact the vendor for alternatives.

References:

Internet and Firewall Security, What are ICMP redirects and redirect bombs?, http://slis-two.lis.fsu.edu/~security/Firewall/page17.htm

The NT Shop, ICMP Redirects, http://www.ntsecurity.net/security/icmp-redirects.htm

ISS Security Advisory #14, ICMP Redirects Against Embedded Controllers, http://xforce.iss.net/alerts/advise14.php3


X-Force Logo
Know Your Risks