Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

Article Number: 000151666

Force10 Security Advisory: ICMP Attacks Against TCP

Article Content

Symptoms

Article Summary:
A draft IETF document was published and made available describing various
attack methods possible against TCP sessions using ICMP. These
vulnerabilities are described in “ICMP attacks against TCP”, published by
Fernando Gont and available at http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-03.txt.

The draft describes three vulnerabilities:
  1. Blind connection-reset attacks with ICMP ‘hard errors’
  2. Blind throughput-reduction attacks with ICMP source-quench
  3. Blind throughput-reduction attacks with ICMP and PMTU Discovery

Table of Contents:
     
      1.    Products Affected
      2.    Workaround
      3.    Software Fixes
      4.    Status of Advisory
      5.    Advisory Date History and Version
 

1.

Products Affected

The following matrix describes the vulnerability of Force10’s products:


TeraScale RPM E300, E600 and E1200 (LC-RPM-EF3 LC-RPM-EF)		 EtherScale RPM E1200 and E600 (LC-ED-RPM) EtherScale RPM E300 (LC-EE3-RPM)
Blind Reset Not Vulnerable Not Vulnerable Not Vulnerable
Source Quench CP Processor TCP
Sessions Only1		 CP Processor TCP
Sessions Only1		 All TCP Sessions2
PMTU Discovery Not Vulnerable Not Vulnerable Not Vulnerable

1 PR58560: Telnet, SSH, SCP and FTP only. BGP is not affected.
2 PR57803: Telnet, SSH, SCP, FTP, and BGP

Blind Throughput-Reduction with ICMP source-quench

If an attacker knows or can guess the socket pair between two TCP end
points, it is possible to slow the TCP connection by crafting an ICMP
source-quench packet.

 
2.

Workaround

On EE3, EF, and EF3 RPMs it is possible to create a loopback ACL which filters
packets going to the CPU(s): 

interface Loopback 0 
ip access-group deny_quench in 
no shutdown 
! 
ip access-list extended deny_quench 
seq 5 deny icmp any any source-quench 
seq 10 permit ip any any


On ED RPMs, it is only possible to apply ACLs per-interface. Each interface would
need an ACL denying ICMP to each IP address configured on the E600/E1200, as
well as any loopbacks sourcing TCP sessions. For example: 

interface Loopback 0 
ip address 192.168.0.1/32 
no shutdown 
! 
interface Loopback 1 
ip address 192.168.1.1/32 
no shutdown 
! 
interface TenGigabitEthernet 0/0 
ip address 172.16.0.1/30 
ip access-group deny_quench in 
no shutdown 
! 
interface TenGigabitEthernet 0/1 
ip address 172.16.1.1/30 
ip access-group deny_quench in 
no shutdown 
! 
ip access-list extended deny_quench 
seq 5 deny icmp any host 172.16.0.1 source-quench 
seq 10 deny icmp any host 172.16.1.1 source-quench 
seq 15 deny icmp any host 192.168.0.1 source-quench 
seq 20 deny icmp any host 192.168.1.1 source-quench 
seq 25 permit ip any any

 
3.

Software Fixes

Vulnerability matrix for PR57803 (ICMP Source quench throughput reduction attack),
can be found below.

Vulnerable Release  Fixed Release Fixed Release Date
6.2.1.x and earlier  6.2.1.5 and later  September 2005


Vulnerability matrix for PR 58650 (ICMP Source quench throughput reduction
attack), can be found below.

Vulnerable Release  Fixed Release Fixed Release Date
6.5.1.x
7.4.x		 7.5.1.0 August 21, 2007

 
4.

Status of Advisory

Final


5.

Advisory Date History and Version

15 April 2005, version 1.0
21 August 2007, version 2.0 

 

Article Properties

Last Published Date

21 Feb 2021

Version

3

Article Type

Solution

Back to Top