|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
Date: Tue Feb 04 2003 - 13:46:33 EST
> Although I _could_ agree as far as a firewalls are concerned, I don't
Please don't spread the word that ICMP only is for troubleshooting networks. ICMP has it's uses beside "PING", the most important one being "Path-MTU-Discovery" which will break when filtering all ICMP packets! [1]
There is a really frightening number of clueless admins which misconfigure their firewalls this way!
Chris
[1] the canonical example being a webserver behind a firewall which blocks
all ICMP packets. If the webserver has path-mtu-discovery enabled the following will happen when you (as a client) are sitting behind a smaller-than-ethernet-mtu link (PPPoE DSL or Tunnel for example):
1.) www-server sends data-packet (as much as the local ethernet permits)
to client
2.) a router between server and client will drop this packet because:
- the link MTU (PPPoE, Tunnel) is too small
- the packet has it's "don't fragment" bit set (because of the webserver trying path-mtu-discovery) 2b) the router will send a ICMP-fragmentatin-needed-but-DF-set message to the webserver 3.) the firewall in front of the webserver drops this packet 4.) the webserver will never be informed that his packets are too large and will try to send too large packets which never reach the client.
-- And remember - if it ain't broke, hit it again. -- Foon ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.comReceived on Tue Feb 4 17:18:45 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:57 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |