ICMP (Internet Control Message Protocol) is one of the protocols in the IP (Internet Protocol) suite. It is used as in error reporting by all network devices. Also network and system administrators use it to troubleshoot connectivity issues in the form of ping and traceroute.
Most people are familiar with ping and the basic functionality that ICMP provides. But ICMP provides over 40 types of control messages. Two that have been known to be used in attacks are the Timestamp Request (type 13) and Timestamp Reply (type 14). ICMP type 13 and 14 are not attacked directly, rather they provide critical information that can help attack time based security algorithms. If left unchecked they can also provide other important reconnaissance information. These issues have been around, in one form or another, for over 20 years.
This pattern of attack leverages standard requests to learn the exact time associated with a target system. An adversary may be able to use the timestamp returned from the target to attack time-based security algorithms, such as random number generators, or time-based authentication mechanisms.
-CAPEC
Allowing remote users to transmit ICMP request or reply packets onto a local network could result in an exploit, resulting in an attacker developing a network map for targeting purposes.
- Cisco Security Activity Bulletin
ICMP Timestamp Request and Reply are low risk, but occur with a very high frequency. Since it is so common and easy to mitigate, there is no reason to ignore it.
Red Hat Enterprise Linux is configured by default to respond to all ICMP requests. Users may configure the firewall to prevent a system from responding to certain ICMP requests.
- Official Statement from Red Hat - 5 JAN 2010
ICMP timestamp responses should be denied by the host firewall. Below you will find information for blocking ICMP timestamp request and reply on popular firewalls used by most Linux distributions.
NOTE: For highly critical systems it is possible to block ICMP completely. Although this can cause adverse effects on network connectivity.
Block ICMP Timestamps with IPTables
Here we will block incoming ICMP timestamp requests using the INPUT chain and outgoing ICMP timestamp reply with the OUTPUT chain. Please keep in mind that your firewall configuration is specific to your machine. Your iptables chains may have different names, which need to be modified in the below examples. For more information on iptables read "Basics of Iptables".
Block ICMP Timestamp requests (type 13) with iptables:
iptables -I INPUT -p icmp --icmp-type timestamp-request -j DROP
Block ICMP Timestamp reply (type 14) with iptables:
iptables -I OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
Be sure to save your rules when you are done.
Red Hat / CentOS:
iptables-save > /etc/sysconfig/iptables
Debian / Ubuntu:
iptables-save > /etc/iptables/rules.v4
Block all ICMP Traffic with IPTables
You can block all ICMP traffic with iptables by using the following command:
iptables -I INPUT -p icmp -j DROP
Block ICMP Timestamps with FirewallD
Firewall configurations are usually very specific to the needs of the system. You should take extra care to ensure the command below will work in your environment. For example, our development box has a default zone named public, your default zone may be different. To learn more about firewalld read "Introduction to Firewalld Basics".
firewall-cmd --zone=public --add-icmp-block={timestamp-request,timestamp-reply} --permanent
Reload your firewall to make the changes take effect.
firewall-cmd --reload
Block ICMP Timestamps with Uncomplicated Firewall (UFW)
I find the uncomplicated firewall to be... umm, complicated. It seems there is no command to directly configure firewall rules to include ICMP types. You have to edit the configuration files. Again, be careful and ensure you are matching these rules to your systems needs. To learn more about Uncomplicated Firewall (UFW) read "Uncomplicated Firewall Basics".
Add the following two lines to /etc/ufw/before.rules
-A ufw-before-input -p icmp --icmp-type timestamp-request -j DROP
-A ufw-before-output -p icmp --icmp-type timestamp-reply -j DROP
Reload the firewall
sudo ufw reload
Conclusion
Although the ICMP timestamp request and reply vulnerabilities are low risk, they are easily mitigated. Whether or not this is right for your system is completely up to you.
Resources
Leave a Reply Cancel reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
3 Comments
Join Our Newsletter
Categories
- Bash Scripting (17)
- Basic Commands (50)
- Featured (7)
- Just for Fun (5)
- Linux Quick Tips (98)
- Linux Tutorials (65)
- Miscellaneous (15)
- Network Tools (6)
- Reviews (2)
- Security (32)
- Uncategorized (1)
-A ufw-before-ouput -p icmp --icmp-type timestamp-reply -j DROP fails on ubuntu 18
Please post exactly what you are doing and the output, maybe someone can help.
Your solution to block these with UFW is unnecessary - they are already blocked by default policy, and only specific icmp-types are allowed (dest-unreachable, time-exceeded, parameter-problem, echo-request) in the /etc/ufw/before.rules file.