The Internet Draft entitled ICMP attacks against TCP, dated December 22, 2004 describes how a server can be attacked by using Internet Control Message Protocol (ICMP) messages to reset or slow down data transmission. Unisys has developed a security change to prevent these attacks. The change, which is not compliant with RFC 1122, addresses the following security issues:
-
When an ICMP Destination Unreachable message with reason = Protocol_Unavailable is received, RFC 1122 states that the dialog should be reset. The security change ignores the ICMP message and the dialog is not reset.
-
When an ICMP Destination Unreachable message with reason = Port_Unavailable is received, RFC 1122 states that the dialog should be reset. The security change ignores the ICMP message and the dialog is not reset.
-
When an ICMP Source Quench message is received, RFC 1122 states that a “slow start” algorithm should be initiated. The security change ignores the ICMP message.
Since these security changes override RFC 1122 recommendations, an ISSUEICMPRESET option has been added to the TCPIP OPTION command. If the ISSUEICMPRESET option is enabled (the default), the RFC 1122 compliant actions are taken. However, if ISSUEICMPRESET is disabled, the RFC 1122 compliant actions are not taken and the security changes listed above are activated.
To enable TCP dialog resets caused by ICMP messages and activate RFC 1122 features, enter the following:
NW TCPIP OPT + ISSUEICMPRESET
To disable TCP dialog resets caused by ICMP messages and activate security changes which protect TCP dialogs against ICMP attacks, enter the following:
NW TCPIP OPT – ISSUEICMPRESET
