RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: James Kelly <jim(at)essistants.com>
Date: Tue Feb 04 2003 - 13:26:56 EST

Blocking/dropping from an undesirable ip isn't really going to effect your trouble-shooting, since you shouldn't be accepting traffic from there anyway. No news is good news from the ip is good news?

Jim

-----Original Message-----
From: Frederic Harster [mailto:f.harster@evc.net] Sent: Monday, February 03, 2003 10:56 AM To: Incidents Mailing List
Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

Hugo van der Kooij wrote:

>>Let's say that a router is configured (with ACLs) to deny packets from
"ICMP
>>unreachable", doesn't it?
cause
>>a multiplying?
>>I know that a router/firewall may be configured to _not_ send "ICMP
>>unreachables" but default is to send them.
>>
>>
>
>The default behaviour for filtering must be to DROP the packets. This
is
>standard in all known firewalls and should be considered common
knowledge.
>
>Some call this stealth mode.
Although I _could_ agree as far as a firewalls are concerned, I don't when it comes to routers.
Blocking/droping any ICMP packet usually turns into a real nightmare when you've to perform troubleshooting on a wide network.

my 0,02... and common pratice.
Fred

>
>

---

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Feb 4 16:58:20 2003