Check Point Advisories

Multiple Vendor ICMP Source Quench Denial of Service (CVE-2004-0791)

Check Point Reference: CPAI-2005-357
Date Published: 28 Feb 2010
Severity: Critical
Last Updated: Sunday 28 February, 2010
Source:
Industry Reference:CVE-2004-0791
Protection Provided by:

Security Gateway
R77, R75

Who is Vulnerable?
Vulnerability Description The Internet Control Message Protocol (ICMP) is part of the Internet Protocol suite. ICMP facilitates error, control, and informational message exchange between network devices. For instance, ICMP may be used to test network connectivity between two hosts. There exists a vulnerability in multiple vendor's TCP/IP and Internet Control Message Protocol (ICMP) implementations. A spoofed ICMP Source Quench message can reduce the efficiency of the TCP/IP stack of the target system. A remote attacker can exploit this vulnerability to degrade the network performance of the target system. In order for an attack to be executed, an existing TCP session between two peers is required. The attacker then has the option of attacking either one of the two connected hosts or any router on the network path between the two hosts. Upon receiving the malicious packet from the attacker, the vulnerable host or router should cut down the rate at which it sends out the data to the host specified in the malicious packet. The vulnerable host or router's performance is degraded during the processing of the spoofed ICMP message. A relatively significant delay is inserted between the two TCP segments immediately following the reception of the ICMP message. If no further spoofed packets are received, the vulnerable host or router will recover the transfer rate to the normal state. The attack becomes noticeable only after a large number of such ICMP messages are received and processed by the vulnerable system. The attack only affects one existing TCP session specified by the IP addresses and ports in the malicious packet.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R77 / R75

  1. In the IPS tab, click Protections and find the Multiple Vendor ICMP Source Quench Denial of Service protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  ICMP Protocol Violation.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK