The Internet Control Message Protocol (ICMP) (RFC 792) is used in the Internet 
Architecture to perform fault-isolation and recovery (RFC 816), which is the 
group of actions that hosts and routers take to determine if a network failure 
has occurred.

The industry standard TCP specification (RFC 793) has a vulnerability whereby 
ICMP packets can be used to perform a variety of attacks such as blind 
connection reset attacks and blind throughput-reduction attacks. Blind 
connection reset attacks can be triggered by an attacker sending forged ICMP 
"Destination Unreachable, host unreachable" packets or ICMP "Destination 
Unreachable, port unreachable" packets.  Blind throughput-reduction attacks can
be caused by an attacker sending a forged ICMP type 4 (Source Quench) packet.

Path MTU Discovery (RFC 1191) describes a technique for dynamically discovering
the MTU (maximum transmission unit) of an arbitrary internet path.  This 
protocol uses ICMP packets from the router to discover the MTU for a TCP 
connection path.  An attacker can reduce the throughput of a TCP connection by 
sending forged ICMP packets (or their IPv6
counterpart) to the discovering host, causing an incorrect Path MTU setting.

HP has addressed these potential vulnerabilities by providing a new kernel 
tunable in Tru64 UNIX V5.1B and 5.1A, icmp_tcpseqcheck. In Tru64 4.0F and 4.0G,
HP has introduced two new kernel tunables, icmp_tcpseqcheck and 
icmp_rejectcodemask. The icmp_rejectcodemask tunable is already available in 
Tru64 UNIX V5.1B and 5.1A.

icmp_tcpseqcheck
The icmp_tcpseqcheck variable mitigates ICMP attacks against TCP by checking 
that the TCP sequence number contained in the payload of the ICMP error message
is within the range of the data already sent but not yet acknowledged. An ICMP 
error message that does not pass this check is discarded. This behavior 
protects TCP against spoofed ICMP packets.

Set the tunable as follows:

        icmp_tcpseqcheck=1 (default)
        Provides a level of protection that reduces the possibility of 
considering a spoofed ICMP packet as valid to 1/2''32
                
                
        icmp_tcpseqcheck=0
        Retains existing behavior, i.e., accepts all ICMP packets
                
icmp_rejectcodemask
In the Requirements for IP Version 4 Routers (RFC 1812), research suggests that 


the use of ICMP Source Quench packets is an ineffective (and unfair) antidote 
for congestion. Thus, HP recommends completely iqnoring ICMP Source Quench 
packets using the icmp_rejectcodemask tunable. The icmp_rejectcodemask is a 
bitmask that designates the ICMP codes that the system should reject. For 
example, to reject ICMP Source Quench packets, set the mask bit position for 
the ICMP_SOURCEQUENCH code 4, which is 2'4=16 which is 0x10.  The 
icmp_rejectcodemask tunable can be used to reject any ICMP packet type, or 
multiple masks can be combined to reject more than one type.

The ICMP type codes are in /usr/include/netinet/ip_icmp.h.

Set the tunable as follows:

        icmp_rejectcodemask = 0x10
        Rejects ICMP Source Quench packets
                
                
        icmp_rejectcodemask = 0 (default)
        Retains existing behavior, i.e., accepts all ICMP packets
                
Adjusting the variables
The ICMP sequence check variable (icmp_tcpseqcheck) can be adjusted using the 
sysconfig and sysconfigdb commands:

        # sysconfig -q inet icmp_tcpseqcheck
        inet:
        icmp_tcpseqcheck = 1
        
        # sysconfig -r inet icmp_tcpseqcheck=0
        icmp_tcpseqcheck: reconfigured
        
        # sysconfig -q inet icmp_tcpseqcheck
        inet:
        icmp_tcpseqcheck = 0
        
        # sysconfig -q inet icmp_tcpseqcheck > /tmp/icmp_tcpseqcheck_merge
        
        # sysconfigdb -m -f /tmp/icmp_tcpseqcheck_merge inet
        
        # sysconfigdb -l inet
         
        inet:
                icmp_tcpseqcheck = 1
        
        Similarly, the icmp_rejectcodemask variable can be adjusted using the 
sysconfig and sysconfigdb commands:

        # sysconfig -q inet icmp_rejectcodemask
        inet:
        icmp_rejectcodemask = 0
        
        # sysconfig -r inet icmp_rejectcodemask=0x10
        icmp_rejectcodemask: reconfigured
        
        # sysconfig -q inet icmp_rejectcodemask
        inet:
        icmp_rejectcodemask = 16 
        
        # sysconfig -q inet icmp_rejectcodemask >/tmp/icmp_rejectcodemask_merge
        
        # sysconfigdb -m -f /tmp/icmp_rejectcodemask_merge inet
        
        # sysconfigdb -l inet
         
        inet:
                icmp_rejectcodemask = 16

