[12726] in bugtraq

home help back first fref pref prev next nref lref last post

Re: BindView Security Advisory: SSR Denial of Service

daemon@ATHENA.MIT.EDU (Alan Cox)
Fri Nov 26 01:25:04 1999

Content-Type: text
Message-Id:  <E11qnTP-0007CQ-00@the-village.bc.nu>
Date:         Thu, 25 Nov 1999 01:13:22 +0000
Reply-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
X-To:         advisory+ssrdos@BOS.BINDVIEW.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <000201bf36cd$7e5ec980$c4b04bcf@blake> from "BindView Security
              Advisory" at Nov 24, 99 05:44:40 pm

> The danger in this problem arises from the fact that many perimeter defenses
> (firewalls) permit ICMP through, which means that remote, anonymous
> attackers

Note that perimiter firewalls that don't let some ICMP through are broken
(If anyone from certain large search/net companies beginning with A and Y are
listening....). With return ICMP must fragment messages blocked the host
isnt properly accessible (in many cases not accessible at all) over lower
MTU paths like secure tunnels, groups of machines behind low mtu ppp links
etc.

A perimiter firewall can (and probably should) do stateful checking of the
ICMPs perhaps with rate limiting too.

Alan

home help back first fref pref prev next nref lref last post