|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: TCP/IP implementations do not adequately validate ICMP error messages
From: David Schwartz (davids
webmaster.com)
Date: Tue May 10 2005 - 15:38:19 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> when I add the following rule to iptables, the linux server (Kernel
> 2.4.29-grsec) is no longer vulnerable to the DOS:
> iptables -I INPUT 1 -p icmp -j DROP
>
> I am interested in knowing if this work around makes any sense. Please
> keep me informed about this vulnerability.
This breaks PMTU detection. ICMP is a host requirement, it is not optional.
DS
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]