ICMP (Internet Control Message Protocol) is one of the protocols in the IP (Internet Protocol) suite. It is used as in error reporting by all network devices. Also network and system administrators use it to troubleshoot connectivity issues in the form of ping and traceroute.

Most people are familiar with ping and the basic functionality that ICMP provides. But ICMP provides over 40 types of control messages. Two that have been known to be used in attacks are the Timestamp Request (type 13) and Timestamp Reply (type 14). ICMP type 13 and 14 are not attacked directly, rather they provide critical information that can help attack time based security algorithms. If left unchecked they can also provide other important reconnaissance information. These issues have been around, in one form or another, for over 20 years.

This pattern of attack leverages standard requests to learn the exact time associated with a target system. An adversary may be able to use the timestamp returned from the target to attack time-based security algorithms, such as random number generators, or time-based authentication mechanisms.

-CAPEC

Allowing remote users to transmit ICMP request or reply packets onto a local network could result in an exploit, resulting in an attacker developing a network map for targeting purposes.

- Cisco Security Activity Bulletin

ICMP Timestamp Request and Reply are low risk, but occur with a very high frequency. Since it is so common and easy to mitigate, there is no reason to ignore it.

Red Hat Enterprise Linux is configured by default to respond to all ICMP requests. Users may configure the firewall to prevent a system from responding to certain ICMP requests.

- Official Statement from Red Hat - 5 JAN 2010

ICMP timestamp responses should be denied by the host firewall. Below you will find information for blocking ICMP timestamp request and reply on popular firewalls used by most Linux distributions.

NOTE: For highly critical systems it is possible to block ICMP completely. Although this can cause adverse effects on network connectivity.

Block ICMP Timestamps with IPTables

Here we will block incoming ICMP timestamp requests using the INPUT chain and outgoing ICMP timestamp reply with the OUTPUT chain. Please keep in mind that your firewall configuration is specific to your machine. Your iptables chains may have different names, which need to be modified in the below examples. For more information on iptables read "Basics of Iptables".

Block ICMP Timestamp requests (type 13) with iptables:

iptables -I INPUT -p icmp --icmp-type timestamp-request -j DROP

Block ICMP Timestamp reply (type 14) with iptables:

iptables -I OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

Be sure to save your rules when you are done.

Red Hat / CentOS:

iptables-save > /etc/sysconfig/iptables

Debian / Ubuntu:

iptables-save > /etc/iptables/rules.v4

Block all ICMP Traffic with IPTables

You can block all ICMP traffic with iptables by using the following command:

iptables -I INPUT -p icmp -j DROP

Block ICMP Timestamps with FirewallD

Firewall configurations are usually very specific to the needs of the system. You should take extra care to ensure the command below will work in your environment. For example, our development box has a default zone named public, your default zone may be different. To learn more about firewalld read "Introduction to Firewalld Basics".

firewall-cmd --zone=public --add-icmp-block={timestamp-request,timestamp-reply} --permanent

Reload your firewall to make the changes take effect.

firewall-cmd --reload

Block ICMP Timestamps with Uncomplicated Firewall (UFW)

I find the uncomplicated firewall to be... umm, complicated. It seems there is no command to directly configure firewall rules to include ICMP types. You have to edit the configuration files. Again, be careful and ensure you are matching these rules to your systems needs. To learn more about Uncomplicated Firewall (UFW) read "Uncomplicated Firewall Basics".

Add the following two lines to /etc/ufw/before.rules

-A ufw-before-input -p icmp --icmp-type timestamp-request -j DROP
-A ufw-before-output -p icmp --icmp-type timestamp-reply -j DROP

Reload the firewall

sudo ufw reload

Conclusion

Although the ICMP timestamp request and reply vulnerabilities are low risk, they are easily mitigated. Whether or not this is right for your system is completely up to you.

Resources