Firewall Wizards mailing list archives
Re: Odp: icmp scans
From: Gigi Sullivan <sullivan () seclab com>
Date: Fri, 13 Nov 1998 14:02:09 +0100 (CET)
Hello:) On Thu, 12 Nov 1998, Bob Acosta wrote:
Date: Thu, 12 Nov 1998 12:38:14 -0500 From: Bob Acosta <acostar () allied-chas com> To: Gigi Sullivan <sullivan () seclab com>,
Chris Kostick <christopher.t.kostick () cpmx saic com>
Cc: Pawel Maciejewski <laban () op onet pl>,
Neil Ratzlaff <Neil.Ratzlaff () ucop edu>, firewall-wizards () nfr net, fw-1-mailinglist () lists us checkpoint com
Subject: Re: Odp: icmp scans True ip could be construed as unreliable (more like unsecure), and yes applications level programming could help make it safer (how many programmers are concerned about security - more interested in functionality and getting it on the shelf). Out of curiosity, why has there been no
Right.
pseudo application proxy for icmp. One that checks the data portion of the
Well, It won'be hard to develope such app. Just FYI, always route|daemon9 had developed another project called Pingd. (www.infonexus.com/~daemon9/Projects) He swap the icmp (only ECHO|ECHOREPLY) from kernel land to userland w/ a little kernel 2.0.x patch. It's possible to modify this Project to add more functionality, e.g. the data portion check to see if something is wrong. His idea is simple but usefull IMHO, since you can be able to use ICMP, w/o be too afraid. As I said it's possible to "emebed" everything you want in the data portion of every protocol. This is the "common" way to fool some packet filter firewall (that leaves open the 53 UDP port for DNS stuff i.e.) AFAIK Raptor (a proxy gw firewall) can perform Application Data Scanning.
packets for non-standard strings. It was my impression that the data portion of the packet was used primarily for feeding back routing info, timestamps/delays and such. Has anybody from TIS looked into this, or is the issue too complex. My stance is to refuse all icmp, however many sites refuse to turn it off. They indicate it is either needed for troubleshooting reasons (ok - but then turn it off), or for monitoring purposes (are my remote systems still up?), and for some unknown reason even some applications require a pre-icmp before permitting a connection (would like to know why). Also, I am concerned with the way icmp has a direct line from layer 3 to the kernel of some, maybe most systems (if I am correct).
Bye bye Have a nice day and ... I apologize for my bad english ;) -- gg sullivan -- Lorenzo Cavallaro Intesis SECURITY LAB Phone: +39-02-671563.1 Via Settembrini, 35 Fax: +39-02-66981953 I-20124 Milano ITALY Email: sullivan () seclab com
Current thread:
- Odp: icmp scans Pawel Maciejewski (Nov 11)
- Re: Odp: icmp scans Gigi Sullivan (Nov 11)
- <Possible follow-ups>
- Re: Odp: icmp scans Chris Kostick (Nov 11)
- Re: Odp: icmp scans Salvatore Sanfilippo (Nov 12)
- Re: Odp: icmp scans Gigi Sullivan (Nov 12)
- Re: Odp: icmp scans Bob Acosta (Nov 12)
- Re: Odp: icmp scans Gigi Sullivan (Nov 13)