[38821] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

RE: TCP/IP implementations do not adequately validate ICMP error messages

daemon@ATHENA.MIT.EDU (David Schwartz)
Wed May 11 22:42:57 2005

From: "David Schwartz" <davids@webmaster.com>
To: <bugtraq@securityfocus.com>
Date: Tue, 10 May 2005 13:38:19 -0700
Message-ID: <MDEHLPKNGKAHNMBLJOLKKEDNDLAB.davids@webmaster.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <4280CA6D.20602@ilionsecurity.ch>
X-MDaemon-Deliver-To: bugtraq@securityfocus.com
Reply-To: davids@webmaster.com


> when I add the following rule to iptables, the linux server (Kernel
> 2.4.29-grsec) is no longer vulnerable to the DOS:
> iptables -I INPUT 1 -p icmp -j DROP
>
> I am interested in knowing if this work around makes any sense. Please
> keep me informed about this vulnerability.

	This breaks PMTU detection. ICMP is a host requirement, it is not optional.

	DS


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[38821] in bugtraq

RE: TCP/IP implementations do not adequately validate ICMP error messages

daemon@ATHENA.MIT.EDU (David Schwartz)Wed May 11 22:42:57 2005

daemon@ATHENA.MIT.EDU (David Schwartz)
Wed May 11 22:42:57 2005