This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
58
Chapter 7
CHAPTER 7
Unnecessary Protocols and Services
Nearly all networked systems and routers have many services automatically acti-
vated for the convenience of the administrator. These features, enabled by default,
often provide attackers points of entry to gather information or gain access into the
router. Since each service provides a possible access point, it is important to turn off
all services that are not needed or that are security risks.
ICMP
The Internet Control Message Protocol (ICMP) enhances network functionality and
is invaluable for testing network connectivity and determining network paths. No
one troubleshooting a network problem would want to be without the ability to ping
and traceroute. ICMP also provides incredible functionality that an attacker can
manipulate to collect vast amounts of information about your routers, your network
topology, and the systems on your network.
It is extremely difficult to keep a determined attacker from discovering information
about any system attached to the Internet. However, the recommendations that fol-
low will make that job harder and keep casual attackers from finding your network
attractive.
ICMP MTU Discovery
Many sites choose to deny all ICMP packets into and out of their networks. This
solution almost works. The only ICMP message type that causes problems when dis-
abled is maximum transfer unit (MTU) discovery. MTU discovery optimizes the size
of packets between two systems. Disabling MTU can cause severe performance prob-
lems. It can also cause sporadic problems in which small packets are allowed
through, but larger ones aren’t. This can cause enormous troubleshooting headaches
unless the administrator understands how MTU discovery is done. To avoid these
problems, you need to allow the ICMP packets responsible for MTU discovery both

ICMP redirects allow systems to change the way packets are passed through a net-
work. By sending ICMP redirects, attackers can redirect all or part of your network
traffic through a router of their choice, allowing them to monitor and record the traf-
fic or even hijack sessions. On a functional network using a routing protocol, dis-
abling ICMP redirects should have no negative impact on your networks and should
help secure your routers from being manipulated by hackers.
ICMP redirects—sending
To stop your router from sending ICMP redirects, you need to enter the command
no ip redirects under each interface. The following code stops the interface Fast
Ethernet 0/0 from sending redirects:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet 0/0
Router(config-if)#no ip redirects
Router(config-if)#^Z
Router#
The no ip redirects command should be entered under each interface on every router.
,ch07.23996 Page 59 Friday, February 15, 2002 2:54 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
60
|
Chapter 7: Unnecessary Protocols and Services
ICMP redirects—receiving
To keep the router from receiving ICMP redirects, you must use access lists. The saf-
est way is to block each interface from receiving ICMP redirects. However, on larger
networks with hundreds of interfaces, this can be a daunting task. In these cases, at a
minimum you need to block ICMP redirects on all router interfaces between autono-
mous domains (i.e., your network and one controlled by someone else). To block an
interface from receiving ICMP redirects:

to a specific host, but can also be addresses to an entire network or subnet. When a
single ICMP ping is sent to a network, then most machines on that network respond
,ch07.23996 Page 60 Friday, February 15, 2002 2:54 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
ICMP
|
61
to the ping request. This is the well-known smurf attack. An attacker sends an ICMP
echo (ping) request to a network, but spoofs the source address to look as if it comes
from a victim IP. Then tens or hundreds of machines all send back ping responses to
the victim IP, overwhelming it. It is difficult to avoid being a victim to this type of
attack, but with proper router configuration, you can prevent being a network used
by an attacker. This is important for two reasons. First, hundreds of machines on
your network responding to ping requests simultaneously can easily overwhelm your
network and consume all of your bandwidth. Second, to the victim it looks as if your
network is doing the attacking. You can prevent both of these problems by using the
no ip directed-broadcast command on each router interface.
This command causes your router to block all ICMP packets sent to network or sub-
net addresses. To prevent your network from being a host to smurf attacks, the fol-
lowing example should be applied to all of your router interfaces:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface Serial 0/1
Router(config-if)#no ip directed broadcast
Router(config-if)#^Z
Router#
ICMP Mask Reply
Many ICMP functionalities have been superseded by protocols such as BOOTP and
DHCP. ICMP mask reply is one of them. This ICMP type allows the router to inform

other work. When a system attempts an invalid connection but doesn’t receive an
ICMP unreachable message, the system then continues waiting for the remote sys-
tem to respond. This waiting can last from several seconds to several minutes until
the connecting system times out.
The security implications of allowing or disabling ICMP unreachables are related to an
attacker scanning your router to determine what services you are running and what
services might be vulnerable to attack. Many scanning methods rely on ICMP
unreachable messages to concretely determine when a service is disabled. When scan-
ning a system, ICMP unreachable messages are sent back to the attackers whenever
they scan a port that is closed. The router, in effect, tells the attackers, “Sorry, this
door is closed.” This allows attackers to scan a system very quickly and know exactly
which ports are open and which are closed. By disabling ICMP unreachables, an
attacker receives no notice that the port is closed, and these types of scans take much
longer to perform. While disabling ICMP unreachables works only for certain scan-
ning methods, it does make an attacker’s job a little bit harder, which is always good.
Disabling ICMP unreachables must be done on every interface with the no ip
unreachables command. The following disables ICMP unreachables on the Fast
Ethernet 0/1 and the Serial 0/0 interfaces:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet 0/1
Router(config-if)#no ip unreachables
Router(config-if)#exit
Router(config)#interface Serial 0/0
Router(config-if)#no ip unreachables
Router(config-if)#^Z
Router#
The no ip unreachables command stops each interface from sending all
types of ICMP unreachable packets. While using this command helps
prevent or slow down an attacker’s attempt to gather information