Improving Web Application Security: Threats and - CGISecurity

Chapter 15: Securing Your Network 411Blocking ICMP traffic at the outer perimeter router protects you from attacks such ascascading ping floods. Other ICMP vulnerabilities exist that justify blocking thisprotocol. While ICMP can be used for troubleshooting, it can also be used fornetwork discovery and mapping. Therefore, control the use of ICMP. If you mustenable it, use it in echo-reply mode only.Prevent TTL Expired Messages with Values of 1 or 0Trace routing uses TTL values of 1 and 0 to count routing hops between a client and aserver. Trace routing is a means to collect network topology information. By blockingpackets of this type, you prevent an attacker from learning details about yournetwork from trace routes.Do Not Receive or Forward Directed Broadcast TrafficDirected broadcast traffic can be used to enumerate hosts on a network and as avehicle for a denial of service attack. For example, by blocking specific sourceaddresses, you prevent malicious echo requests from causing cascading ping floods.Source addresses that should be filtered are shown in Table 15.2.Table 15.2 Source Addresses That Should be FilteredSource address Description0.0.0.0/8 Historical broadcast10.0.0.0/8 RFC 1918 private network127.0.0.0/8 Loopback169.254.0.0/16 Link local networks172.16.0.0/12 RFC 1918 private network192.0.2.0/24 TEST-NET192.168.0.0/16 RFC 1918 private network224.0.0.0/4 Class D multicast240.0.0.0/5 Class E reserved248.0.0.0/5 Unallocated255.255.255.255/32 BroadcastFor more information on broadcast suppression using Cisco routers,see “Configuring Broadcast Suppression” on the Cisco Web siteat http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00800eb778.html.