[2366] in linux-security and linux-alert archive
[linux-security] Re: ICMP
daemon@ATHENA.MIT.EDU (David Balazic)
Thu Jun 29 07:09:07 2000
Date: Thu, 29 Jun 2000 10:07:15 +0200
From: David Balazic <david.balazic@uni-mb.si>
To: Jonathan Benson <sysadmin@ocean.com.au>
Cc: wulfman <wulfman@wulfman.com>,
"linux-security@redhat.com" <linux-security@redhat.com>
Message-id: <395B03B3.D57659C1@uni-mb.si>
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-2
Content-transfer-encoding: 7bit
Resent-From: linux-security@redhat.com
Jonathan Benson wrote:
>
> wulfman wrote:
>
> > After the recent attacks on the major servers on the web my ISP has
> > decided to stop all ICMP messages from his ISP.
> >
> > I have red the RFCs and it seems that he cant do that... As a result
> > pings and traceroutes will not work.
>
> Having ping's and traceroutes not working isn't all that horrible.
> Stopping the destination unreachable (fragmentation need) ICMP message is
> as it will break MTU discovery.
>
> To a network I want relatively secure I've blocked:
> echo-requests inbound (ping)
> time-exceeded outbound (traceroute)
> redirect inbound (could be nasty)
Consider this (true) scenario :
- I try to visit http://www.microsoft.com
- doesn't work
- I ping www.microsoft.com
- no reply , I think "Aha , it is dead" (*)
- after 1 hour I ping it again
- still no reply , "Well , they didn't fix it yet..." (*)
- after another hour I ping it again and guess what , still no reply
my thoughts : "The admin at MS is incompetent!"
- the a colleague says that he is using the site for the last hour
- I try it also and see the wonder, it works. I curse a random
net-admin and go on with my life.
Need I say more ?
There is a reason that they "invented" ping !
> Everything else comes through. I did the first two to stop people learning
> more then they need to about the network and the last to stop someone
> fooling a machine in to routing packets somewhere it shouldn't.
>
> If anyone out there knows better then I and can suggest other things I
> should be blocking or give good reason why I shouldn't block some of these
> I'm always willing to learn more.
It seems a good idea to block inbound packet to your broadcast address.
And packets from outside that claim to come from an inside address.
It might be useful to put a maximum size limit on ping packets.
> Jon
David Balazic
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
