Use access-lists to filter IP packets with IP options

In the security advisory detailing the Crafted IP Option Vulnerability (a nasty bug that allows an intruder to reset your router with a ping packet), the authors forgot to mention a great tool available in IOS release 12.3(4)T (and integrated in 12.4): the ability to filter packets with IP options in an access-list. I've used this proof-of-concept access list that logs all ping packets with IP options:
ip access-list extended LogOptions
permit icmp any any echo option any-options log
permit icmp any any echo-reply option any-options log
permit ip any any
After an extended ping from my Windows XP workstation, the router (as expected) logged the offending packets:
%SEC-6-IPACCESSLOGDP: list LogOptions permitted icmp 10.0.0.10 -> 172.16.0.12 (8/0), 1 packet
%SEC-6-IPACCESSLOGDP: list LogOptions permitted icmp 10.0.0.10 -> 172.16.0.12 (8/0), 3 packets
Note: you can easily generate ICMP packets with IP options with the -r, -s, -j or -k options of the Windows XP ping program (and I am positive Linux ping has equivalent options).

Reading the Cisco advisory, the IP access-list that would drop all dangerous packets would be similar to this one (not tested, use at your own discretion):
ip access-list extended ProtectRouter
deny icmp any any echo option any-options
deny icmp any any information-request option any-options
deny icmp any any timestamp-request option any-options
deny icmp any any mask-request option any-options
deny pim any any option any-options
deny 113 any any option any-options
deny tcp any any eq 465 option any-options
permit ip any any
Add comment
Sidebar