OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: ICMP Packets.

Re: ICMP Packets.

Darren Reed (darrenrreed.wattle.id.au)
Sat, 6 Jun 1998 21:13:14 +1000 (EST)

In some email I received from tqbfpobox.com, sie wrote:
> > You could consider adding "source quench" ICMP messages to the "let
> > through" list.
>
> Why? Source quench is deprecated (generating even more traffic in
> diagnostic messages as a result of congestion isn't the best design), and
> some operating systems may misbehave in reacting to them.

I didn't know it was deprecated...since when did that happen ?
At least FreeBSD 2.2.5 generates and handles them, so it must
of happened while someone wasn't looking.

> > "Time exceeded" is needed for traceroute (and in an ever growing
> > internet, you may need to be aware of boxes with low default ttl's).
>
> There are only two different methods I'm aware of to map remote network
> topologies (record-route and TTL modulation). Network topology is
> extremely valuable information for an attacker. Since blocking TTL-
> exceeded messages is an effective way to prevent this information from
> leaking, filtering it seems to make much more sense to me than leaving it
> open for the sake of it's limited diagnostic value.

Umm, I think they were concerned about _incoming_ packets, not outgoing.
(Well, that was my assumption, anyway, since that's the reason for most
 of the paranoia about ICMP...)
If an attacker is going to get information from those TTL exceeded ICMP
packets going out, well... ...not to mention that if those packets are
even getting in, then you need to do some thinking.

Darren

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:22 CDT