Modify

Opened 6 years ago

Last modified 4 years ago

#11242 accepted defect

[firewall] possible ICMPv6 denial of service in default firewall rule

Reported by: lsching17@… Owned by: jow
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: firewall ICMPv6 denial Cc:

Description

in /etc/config/firewall (trunk/package/firewall/files/firewall.config)

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule                                   
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

an attacker can stop all icmpv6 traffic by sending 1000 ICMPv6 packet/s to router.

The simplest solution is to remove the line "option limit 1000/sec" and let LAN clients to handle possible ICMPv6 flood themself.

Attachments (0)

Change History (4)

comment:1 follow-up: Changed 6 years ago by jow

  • Owner changed from developers to jow
  • Status changed from new to accepted

The proper solution is to use hashlimit instead of limit. RFC4890 suggests performing rate limiting on unauthenticated ICMPv6 so I'm going to stick to it.

comment:2 in reply to: ↑ 1 Changed 6 years ago by lsching17@…

Replying to jow:

The proper solution is to use hashlimit instead of limit. RFC4890 suggests performing rate limiting on unauthenticated ICMPv6 so I'm going to stick to it.

sorry, i know that this is off topic

Why the ticket creator do not get email notification?

comment:3 Changed 6 years ago by lsching17@…

Automatic handling of flood seems difficult as it often require tweaking. (e.g. source network prefix, ttl, etc..)
I doubt whether it will open another loop hole for attacker to exhaust router's limited CPU and memory.
Besides, Client side (modern PCs and mobile devices) should have much more hardware capacity to handle this kind of attack.

Anyway, if this is possible, this will be great.

Thank you very much anyway.

comment:4 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as accepted .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.