The Internet Control Message Protocol (ICMP) (RFC 792) is used in the Internet Architecture to perform fault-isolation and recovery (RFC 816), which is the group of actions that hosts and routers take to determine if a network failure has occurred.

The industry standard TCP specification (RFC 793) has a vulnerability whereby ICMP packets can be used to perform a variety of attacks such as blind connection reset attacks and blind throughput-reduction attacks. Blind connection reset attacks can be triggered by an attacker sending forged ICMP "Destination Unreachable, host unreachable" packets or ICMP "Destination Unreachable, port unreachable" packets.  Blind throughput-reduction attacks can be caused by an attacker sending a forged ICMP type 4 (Source Quench) packet.

Path MTU Discovery (RFC 1191) describes a technique for dynamically discovering the MTU (maximum transmission unit) of an arbitrary internet path.  This protocol uses ICMP packets from the router to discover the MTU for a TCP connection path.  An attacker can reduce the throughput of a TCP connection by sending forged ICMP packets (or their IPv6
counterpart) to the discovering host, causing an incorrect Path MTU setting.

HP has addressed these potential vulnerabilities by providing a new kernel tunable in Tru64 UNIX V5.1B and 5.1A, icmp_tcpseqcheck. In Tru64 4.0F and 4.0G, HP has introduced two new kernel tunables, icmp_tcpseqcheck and icmp_rejectcodemask. The icmp_rejectcodemask tunable is already available in Tru64 UNIX V5.1B and 5.1A.

icmp_tcpseqcheck
The icmp_tcpseqcheck variable mitigates ICMP attacks against TCP by checking that the TCP sequence number contained in the payload of the ICMP error message is within the range of the data already sent but not yet acknowledged. An ICMP error message that does not pass this check is discarded. This behavior protects TCP against spoofed ICMP packets.

Set the tunable as follows:

        icmp_tcpseqcheck=1 (default)
        Provides a level of protection that reduces the possibility of considering a spoofed ICMP packet as valid to 1/2''32
                
                
        icmp_tcpseqcheck=0
        Retains existing behavior, i.e., accepts all ICMP packets
                
icmp_rejectcodemask
In the Requirements for IP Version 4 Routers (RFC 1812), research suggests that the use of ICMP Source Quench packets is an ineffective (and unfair) antidote for congestion. Thus, HP recommends completely iqnoring ICMP Source Quench packets using the icmp_rejectcodemask tunable. The icmp_rejectcodemask is a bitmask that designates the ICMP codes that the system should reject. For example, to reject ICMP Source Quench packets, set the mask bit position for the ICMP_SOURCEQUENCH code 4, which is 2'4=16 which is 0x10.  The icmp_rejectcodemask tunable can be used to reject any ICMP packet type, or multiple masks can be combined to reject more than one type.

The ICMP type codes are in /usr/include/netinet/ip_icmp.h.

Set the tunable as follows:

        icmp_rejectcodemask = 0x10
        Rejects ICMP Source Quench packets
                
                
        icmp_rejectcodemask = 0 (default)
        Retains existing behavior, i.e., accepts all ICMP packets
                
Adjusting the variables
The ICMP sequence check variable (icmp_tcpseqcheck) can be adjusted using the sysconfig and sysconfigdb commands:

# sysconfig -q inet icmp_tcpseqcheck
        inet:
        icmp_tcpseqcheck = 1
        
        # sysconfig -r inet icmp_tcpseqcheck=0
        icmp_tcpseqcheck: reconfigured
        
        # sysconfig -q inet icmp_tcpseqcheck
        inet:
        icmp_tcpseqcheck = 0
        
        # sysconfig -q inet icmp_tcpseqcheck > /tmp/icmp_tcpseqcheck_merge
        
        # sysconfigdb -m -f /tmp/icmp_tcpseqcheck_merge inet
        
        # sysconfigdb -l inet
         
        inet:
                icmp_tcpseqcheck = 1
        
        Similarly, the icmp_rejectcodemask variable can be adjusted using the sysconfig and sysconfigdb commands:

        # sysconfig -q inet icmp_rejectcodemask
        inet:
        icmp_rejectcodemask = 0
        
        # sysconfig -r inet icmp_rejectcodemask=0x10
        icmp_rejectcodemask: reconfigured
        
        # sysconfig -q inet icmp_rejectcodemask
        inet:
        icmp_rejectcodemask = 16 
        
        # sysconfig -q inet icmp_rejectcodemask > /tmp/icmp_rejectcodemask_merge
        
        # sysconfigdb -m -f /tmp/icmp_rejectcodemask_merge inet
        
        # sysconfigdb -l inet
         
        inet:
                icmp_rejectcodemask = 16
           

