Community discussions

MikroTik App
  4. RouterOS
  5. General

Block ICMP tunnel - best practice

Post Reply
 
User avatar
JohnTRIVOLTA
Member
Member
Topic Author
Posts: 345
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Block ICMP tunnel - best practice

Sun Jun 14, 2020 9:18 pm

Hello friends. How do you block icmp tunnels, which is the most appropriate and correct way?
Thanks in advance !
Top
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 991
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Block ICMP tunnel - best practice

Sun Jun 14, 2020 9:33 pm

Well, I think ICMP tunnels mainly use the Echo (type 8) / Echo Reply (type 0) so I guess you simply need to block that. There is not much else you can do.
I don't think you want to go building L7 firewall rules which look into the packets ... It will kill performance anyway.

Block all ICMP altogether is also not completely smart as ICMP is a rather important protocol...
Top
 
User avatar
JohnTRIVOLTA
Member
Member
Topic Author
Posts: 345
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Block ICMP tunnel - best practice

Sun Jun 14, 2020 10:00 pm

Well, I think ICMP tunnels mainly use the Echo (type 8) / Echo Reply (type 0) so I guess you simply need to block that. There is not much else you can do.
I don't think you want to go building L7 firewall rules which look into the packets ... It will kill performance anyway.

Block all ICMP altogether is also not completely smart as ICMP is a rather important protocol...
Тhanks bro , but this need for ping ... For now i reduce one connection per src ip with small packet - to 86 Bytes !
Maybe i need some sript to kill icmp connection for time more 10s. for example ?
Top
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sun May 03, 2015 5:22 pm

Re: Block ICMP tunnel - best practice

Sun Jun 14, 2020 11:14 pm

You could try something like that. This will drop icmp ping request pakets where the ip packet is bigger then 92 bytes and sets a rate limit with 3 pakets per second with a 10 packets burst.
Code: Select all
/ip firewall filter add action=drop chain=forward icmp-options=8:0 limit=3,10:packet packet-size=93-65535 protocol=icmp
Top
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 991
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Block ICMP tunnel - best practice

Mon Jun 15, 2020 12:20 am

Yeah that seems like a nice solution actually. That would really minimize the use case of using a tunnel if you can get hardly "leak" any data through it.
Top
 
User avatar
JohnTRIVOLTA
Member
Member
Topic Author
Posts: 345
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Block ICMP tunnel - best practice

Mon Jun 15, 2020 12:26 am

You could try something like that. This will drop icmp ping request pakets where the ip packet is bigger then 92 bytes and sets a rate limit with 3 pakets per second with a 10 packets burst.
Code: Select all
/ip firewall filter add action=drop chain=forward icmp-options=8:0 limit=3,10:packet packet-size=93-65535 protocol=icmp
In the previous post this is exactly what i say, but in this way:
/ip fi r add action=drop chain=prerouting packet-size=87-65535 protocol=icmp
The packet limit doesn't work, I've tried!
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], diasdm, frengo, tobcon and 27 guests
  4. RouterOS
  5. General