Re: TTL, works with Cisco ACL's to :)

[Lance Spitzner <lance () spitzner net>]

On Thu, 9 Nov 2000, Alex Goldney wrote:

> I know a lot of sites don't do good egress filtering, and I guess that is
> the point that needs to be hammered home.....

Actually many sites do have egress filtering.  However, the filtering device
is filtering outbound traffic generated by the internal network.  What many
sites are NOT doing is egress filtering of traffic generated by the filtering
device itself.  The filtering device is trusted, so it is allowed to generate
and send any traffic it wants to.  That is why I belive the use of TTL within 
port scans can be effective against many filtering devices.

> On Thu, 9 Nov 2000, Alex Goldney wrote:
>
> > OK, so you aren't blocking any ICMP packets with access-lists.  
> > That should avoid the problem, no?  Of course, it can be considered 
> > a bit unfriendly to block the lot.
> >
> > PATH MTU discovery stuff should be allowed at least in general.  I guess
> > that opens up the possiblility for the same type of attack if the MTU for
> > one of your routers links is less than the MTU of the incoming internet
> > link.  This case should be pretty rare though.
>
> Keep in mind, many Firewalls/Screening Routers do not block ICMP error
> messages.  Those that do block ICMP error messages block them inbound from
> the untrusted networks, such as the Internet, or block them inbound from
> internal networks.  However, most rulebases/ACLs do NOT block ICMP error
> messages generated by the filtering device itself.
>
> Keep in mind, this is a generalization based on my experience.
>
> lance

-- 
Lance Spitzner
http://www.enteract.com/~lspitz


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards