Re: ICMP Payload Limiting

AdnanShahid · ‎06-17-2008

Hi,

Can any body tell me how can Limit ICMP Payload. Like in my network no one can ping will more than 64 Byte. If anybody ping lets say with 100 Byte then the ping will be droped.

Any doc or suggestion would be appreciated.

Regards

Adnan

michael.leblanc · ‎06-17-2008

IOS-router(config)#access-list 190 deny icmp any any echo ?

dscp Match packets with given dscp value

log Log matches against this entry

log-input Log matches against this entry, including input interface

option Match packets with given IP Options value

precedence Match packets with given precedence value

time-range Specify a time-range

tos Match packets with given TOS value

I don't see any support for the criteria you wish to match on.

You might want to focus on rate-limiting ICMP (Control Plane Policing, Management Plane Policing), and denying ICMP fragments (perhaps all fragments):

e.g.:

deny tcp any any log fragments

deny udp any any log fragments

deny icmp any any log fragments

If you have implemented IPS, there is bound to be a signature to address unusually large ICMP echo requests (although larger than 100 bytes). Depending on your platform, maybe you have the option of constructing your own signature.

If you were using the Flexible Packet Matching (FPM) feature, that might give you the versatility to match with the specific criteria desired.

AdnanShahid · ‎06-18-2008

Hi Michael,

Many many thanks for your feedback and info.

First of all, rate-limit only gives me limiting the frequency (or total bw) of the ICMP - but users will still able to ping with high payload and keep choking my network/server.

Currently in my inside network (of more than 20 sites) we are allowing only echo, echo-reply, packet-too-big and time-exceeded ICMP messages.

Yes I have IPS (4255) where I am getting huge Large_ICMP Alert mainly in my Inside Network (Its in Promiscous Mode). This signatures fires when payload is more than 1024 Bytes. Thats why I need to limit the payload.

Now - I can create a new ICMP signature but I really wonder of what action should I can apply if the signature fires. Is it possible - whether I can apply TCP_RESET type of things?? Would appreciate if you can help me out - of what sort of action can I apply??

FPM is new feature to me. I will check it and then may come to you.

Many Thanks again for your suggestion and information.

Regards

Adnan

michael.leblanc · ‎06-18-2008

Rate-limiting was suggested as a "mitigating alternative" given that you seemed concerned about the presence of these packets, which I wouldn't have expected to be frequently observed.

If you have users deliberately pinging with large payloads, perhaps you need to be more selective in your ACLs, as to which sources are permitted to use ping, and/or to which destinations.

With a custom signature you would likely just "drop" the offending ICMP packet. You wouldn't be able to do a reset though, as there is no virtual-connection (i.e.: it's not like TCP).

I've done some reading on Flexible Packet Matching, but have not implemented it, and would not be in a position to advise you on the subject.

Flexible Packet Matching docs:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_qas0900aecd804b915e.pdf

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd80633b0a.pdf

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd803936f6.pdf

AdnanShahid · ‎06-18-2008

Hi Michael,

I have checked my IPS and try to create Signatures with ICMP. But I wonder what Event Action should I apply. My one is in Promicous mode. Can u pls help me out - give us an idea/doc how can I drop the offending traffic.

Regards

Adnan

nomair_83 · ‎06-19-2008

Dear just create a new signature and define the icmp payload length and actions as well.

Like request block connection or request block host.

Regards,

michael.leblanc · ‎06-19-2008

Unfortunately, I don't have access to an IPS 4255, or anything like it.

I've not read the following document, and I'm not sure if the software release is the same as what you have installed, but it might provide the guidance you need:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/CLI6_0.pdf

michael.leblanc · ‎06-20-2008

The following excerpt from:

http://www.cisco.com/warp/public/cc/pd/iosw/tech/plicy_wp.pdf

... suggests that Policy Based Routing could be used to match (and perhaps route to a Null interface) ICMP packets of a specific length:

" Match Clauses-Defining the Criteria

The IP standard or extended ACLs can be used to establish the match criteria. The standard IP access lists can be used to specify the match criteria for source address; extended access lists can be used to specify the match criteria based on application, protocol type, TOS, and precedence.

The match clause feature has been extended to include matching packet length between specified minimum and maximum values. The network administrator can then use the match length as the criterion that distinguishes ....."

Configuring Policy Based Routing:

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr.pdf

AdnanShahid · ‎06-23-2008

Dear Michael,

Pls look at the following config,

access-list 110 permit icmp any any echo

access-list 110 permit icmp any any echo-reply

access-list 110 permit ip any any

route-map name_route_map permit 1156

match ip address 110

match length 512 1024

set interface Null0

I add 110 ACL and the route-map in the Interface. But the icmp traffic (>513 1024<)is not blocking.

Any suggestion?

Regards

Adnan