TMS zl Management and Configuration Guide ST.1.2.100916
4-105
Firewall
Attack Checking
Attack Check Descriptions
This section includes a detailed description of each attack check.
ICMP Replay
In this attack, the attacker sends Internet Control Message Protocol (ICMP)
messages to one or many ports, in hopes of mapping out open and closed ports.
No response indicates that a port is open. The attacker can then use this
information to launch many types of attacks, including a DoS attack. Enable
this check to drop all duplicate ICMP messages.
ICMP Error Messages
ICMP reports problems that are incurred while delivering IP packets. The
message header of the ICMP packet contains the Internet header and the first
64 bits of the packet that caused the error. (The ICMP error message is sent
only once per failure.) This enables the device that caused the error to locate
and correct the transport protocol failure. The error message may be sent by
either the end device or an intermediate device; the protocol does not place
any importance on the device that sends the error message. This quality makes
ICMP messages easy to forge and hard to detect.
An attacker can launch an ICMP error message attack by impersonating an
end or intermediate device and repeatedly replaying an error message.
Because the TCP protocol includes fault recovery responses for ICMP mes-
sages, replaying the messages causes the transfer protocol to perpetually try
to correct the error, which results in a DoS.
ICMP error messages can be used to launch several types of attacks:
■ Blind connection-reset attacks
The TCP fault-recovery policy for a “hard error” is to reset the connection.
A couple examples of hard errors are the Destination Unreachable and Time
Exceeded messages. Destination Unreachable messages are sent when the
network cannot be reached. An attacker can send a forged Destination
Unreachable to a client; this message will interrupt the TCP connection,
which results in DoS for the client.