[PATCH] drop excessive ICMP ping traffic to the firewall

[PATCH] drop excessive ICMP ping traffic to the firewall

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1235 bytes --]

pings are replied to for diagnostic reasons only. As unlimited
response generation may open up a (D)DoS attack surface for
both external and internal networks, dropping excessive traffic
is reasonable.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 src/initscripts/system/firewall | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index b3483a744..622d7de4e 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -214,10 +214,12 @@ iptables_init() {
 	iptables -N IPTVFORWARD
 	iptables -A FORWARD -j IPTVFORWARD
 
-	# Allow to ping the firewall.
+	# Allow non-excessive pings to the firewall
 	iptables -N ICMPINPUT
 	iptables -A INPUT -j ICMPINPUT
-	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
+	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j ACCEPT
+	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood"
+	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP
 
 	# Accept everything on loopback
 	iptables -N LOOPBACK
-- 
2.16.4

Re: [PATCH] drop excessive ICMP ping traffic to the firewall

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1791 bytes --]

Hi,

> On 4 Jul 2019, at 18:31, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> pings are replied to for diagnostic reasons only. As unlimited
> response generation may open up a (D)DoS attack surface for
> both external and internal networks, dropping excessive traffic
> is reasonable.

IPFire won’t do this. We have this configuration in place to avoid this which also works for any other kind of ICMP message (or at least what is selected by the mask):

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_ratelimit = 1000
net.ipv4.icmp_ratemask = 6168

This is from /etc/sysctl.conf.

So do you still want the patch?

-Michael

> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index b3483a744..622d7de4e 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -214,10 +214,12 @@ iptables_init() {
> 	iptables -N IPTVFORWARD
> 	iptables -A FORWARD -j IPTVFORWARD
> 
> -	# Allow to ping the firewall.
> +	# Allow non-excessive pings to the firewall
> 	iptables -N ICMPINPUT
> 	iptables -A INPUT -j ICMPINPUT
> -	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j ACCEPT
> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood"
> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP
> 
> 	# Accept everything on loopback
> 	iptables -N LOOPBACK
> -- 
> 2.16.4
> 

Re: [PATCH] drop excessive ICMP ping traffic to the firewall

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2222 bytes --]

Hello Michael,

> Hi,
> 
>> On 4 Jul 2019, at 18:31, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> pings are replied to for diagnostic reasons only. As unlimited
>> response generation may open up a (D)DoS attack surface for
>> both external and internal networks, dropping excessive traffic
>> is reasonable.
> 
> IPFire won’t do this. We have this configuration in place to avoid this which also works for any other kind of ICMP message (or at least what is selected by the mask):
> 
> net.ipv4.icmp_echo_ignore_broadcasts = 1
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> net.ipv4.icmp_ratelimit = 1000
> net.ipv4.icmp_ratemask = 6168
> 
> This is from /etc/sysctl.conf.
I was unaware of this configuration. The rate limit of 1000
might be a bit too large for home users, depending on how
many other ICMP packets need to be processed or sent.

Anyway, it's good to have these directives around. :-)
> 
> So do you still want the patch?
No, thank you.

Best regards,
Peter Müller
> 
> -Michael
> 
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> src/initscripts/system/firewall | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index b3483a744..622d7de4e 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -214,10 +214,12 @@ iptables_init() {
>> 	iptables -N IPTVFORWARD
>> 	iptables -A FORWARD -j IPTVFORWARD
>>
>> -	# Allow to ping the firewall.
>> +	# Allow non-excessive pings to the firewall
>> 	iptables -N ICMPINPUT
>> 	iptables -A INPUT -j ICMPINPUT
>> -	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 100/second -j ACCEPT
>> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -m limit --limit 10/minute -j LOG --log-prefix "DROP_PINGFLOOD " -m comment --comment "DROP ping flood"
>> +	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j DROP
>>
>> 	# Accept everything on loopback
>> 	iptables -N LOOPBACK
>> -- 
>> 2.16.4
>>
> 

-- 
The road to Hades is easy to travel.
	-- Bion of Borysthenes