Cisco Logo


Cisco Interaction Network

I’ve always loved the Star Trek episode Mirror-Mirror. Where there was a good Kirk in the Federation crusin’ the galaxy finishing fights and going out with all kinds a alien girls and an Evil counterpart in the Terran Empire starting fights, monogamous and yet equally as dramatic. I learned a few things after my 57890th time watching that episode:

- Spock looked way cool in a goat

- Mistakes are often symmetrical

 As time passed, I noticed that anytime a made a mistake, more then just me learned a lesson. An oops in the Federation was a Yes! in the Terran Empire. The first time I had a router of mine hacked, I could not figure out what I did wrong until I understood a little more about programming in C and legacy services. Unlike other technologies, networking has a long history is designed to scale and grow forward while still supporting the old stuff.

 

There are many services on routers that do not need to be turned on BUT many times our on by default to support legacy services. If there ever was a protocol that should wear a red shirt on the network it is ICMP. ICMP is a flexible protocol that dedicated to a small but direct task. These task are defined by Type and Codes. There are 255 Types, however, 0-40 are use mapped and the remaining ones are reserved. A Type designates what the ICMP is dedicated to do. For example; ICMP type 3 is Destination Unreachable. A few ICMP Types have Codes that define a little more what is going on. For example ICMP type 3 code 1; means the destination is unreachable (type 3) BECAUSE (code 1) the host is unreachable. Only ICMP Types 3,5,11,12 and 40 have codes assigned to them currently.

Now ICMP is cool, it was designed to help troubleshoot and maintain a network. We have all used Ping before. That is just ICMP type 8 (type 0 for the reply). As a fun trivia fact Michael Muuss the author of Ping wrote this program overnight and it does not stand for Packet InterNet Gropher! Unfortunately Mike has passed on, however, he left a great story about the creation of PING and other stuff at http://ftp.arl.army.mil/~mike/  

Remember the goatee version of Spock also uses ICMP to recon your network. Let’s control a few of these services and turn off others. Not all ICMP is used for hackers we need some of it for normal operation. Remember even goatee Spock could still use reason and logic, after he opened up a can of butt kickin on evil Solo. Please do not console in and create an ACL to block all ICMP.

ICMP MTU Discovery (type 3 code 4) determines if a packet needs to be fragmented. We do not want to block this service. Blocking it can cause big time problems in performance and the weirdest errors on your network. If you need to block ICMP then create an ACL that looks something like this:

TechWiseTVRTR(config)#access-list 101 permit icmp any any 3 4

TechWiseTVRTR(config)#access-list 101 deny icmp any any

TechWiseTVRTR(config)#access-list 101 permit ip any any

TechWiseTVRTR(config)#int eth 0/1

TechWiseTVRTR(config-if)#ip access-group 101 in

 This will bit bucket all ICMP expect type 3 code 4. If you need to support Ping and traceroute (most folks do) you need to also permit type 0 (ping) and type 11 (traceroute) in your ACL statement. Please understand that leaving trace route open leaves you open for firewalking which is an old school method of determining your ACL by using trace route. Read more about this here: http://www.packetfactory.net/firewalk/firewalk-final.html

Some of the hackers favorites you are blocking with this ACL include:

 - ICMP Timestamp and Info. These are so useful to hacker types in that they can allow a hacker to not only map out your network but also confirm time-date set on your router so they know how erase points in a log or for trending info.

 - ICMP Redirects (receiving). This protocol allows a hacker to change the way packets flow thru a network. If you also want to block the sending of ICMP redirects, do that at the interface level with the command:

TechWiseTVRTR(config)#int eth 0/1

TechWiseTVRTR(config-if)#no ip redirects

You know while you are at the interface context also turn off the following:

- ip unreachables   This is ICMP Unreachable and is used by many many hackers for port scanning to see which ports are open, which are closed and which are filtered.

- ip mask-reply    This ICMP Mask Reply and is used by a hacker to map out your network. This have long been superseded by BootP/DHCP.

- ip directed broadcast   This is for ICMP Directed Broadcast, the good ole Smurf attack. Hey anyone remember reading about how the Smurfs cartoon promoted communism? Smurf that man!

- ip source-route  This is NOT ICMP. It is a big risk on a network since it allows a hacker to determine the path thru your network and not take the normal path. This allows a hacker to bypass IDS and Firewalls.

- tcp and udp small services. These are basically left overs like chargen, echo, daytime, etc. Fun to read about, but not much use. As a matter of fact the first router denial of service attacks I learned was to pipe a chargen port to an echo port and tie up the CPU processing characters. When I wore a much younger mans clothes, I used to do this in router training classes to instructors to be a real whank. Remember to off both UDP and TCP separately.

 So you interface script should look something like this:

TechWiseTVRTR(config)#int eth 0/1

TechWiseTVRTR(config-if)#no ip redirects

TechWiseTVRTR(config-if)#no ip source-route

TechWiseTVRTR(config-if)#no service tcp-small-services

TechWiseTVRTR(config-if)#no service udp-small-services

TechWiseTVRTR(config-if)#no ip unreachables

TechWiseTVRTR(config-if)#no ip mask-reply

TechWiseTVRTR(config-if)#no ip directed broadcast

 IOS version 12.4 has some of these services disabled by default. However, old habits die hard. I still turn these off not to make sure, but so I can pass audits faster if the goober auditors see this manually in the config. Also products like CCP and CNA have one touch secure features that can also turn these and a few other services off as well. Either way works great, just make sure your turn ‘um off. Just like Star Trek novel Killing Time when Captain Kirk is turned back into a ensign in a diabolical time shifting plot a crew member tells him in the inter-galactic locker room; ” You do not want to wear a red shirt on a landing party duty”.  Neither does your router when facing the hostile alien world of Internet hackers…

Jimmy Ray Purser

 

Trivia File Transfer Protocol

The Ise Grand Shrine in Japan is the most sacred shrine in Japan and has been around since 4BC.  It’s reported to hold the most important item in Japan’s imperial history: the Naikū. Which is the mirror from Japanese mythology which eventually ended up in the hands of the first emperors. Oh and unless you’re a member of the Japanese Imperial Family, you ain’t gettin’ in!

 

 

 

 

In an effort to keep conversations fresh, Cisco Blogs closes comments after 90 days. Please visit the Cisco Blogs hub page for the latest content.

2 Comments.


  1. Scott Fringer

    My first Cisco router was a CRM (Cisco Router Module) installed in a Cabletron MMAC-8 running IOS 9 (currently has 10.0(8) installed via EPROM replacements). My first big router was a WellFleet BCN.

       0 likes

  2. Great article, but this wouldn’t appear to make use of my router ip, any helpful hints?

       0 likes

  1. Return to Countries/Regions
  2. Return to Home
  1. All Cisco Interaction Network
  2. Return to Home