Security Incidents mailing list archives
Re: Sudden increase in scans.
From: Alexander Schreiber <Alexander.Schreiber () INFORMATIK TU-CHEMNITZ DE>
Date: Tue, 25 Jul 2000 03:20:24 +0200
Hi ! On Mon, 24 Jul 2000, Jose Nazario wrote:
On Mon, 24 Jul 2000, Alexander Schreiber wrote:But you could stop the kiddies from using ICMP to map out your network by blocking: - incoming ICMP echo-request (ping) - outgoing ICMP echo-reply (pong)you may also want to block ICMP-PORT-UNREACHABLEs to break firewalk. see the paper at packetfactory.net for the situation.
Yes, I know Firewalking (read the paper quite some time ago). Interesting technique. But it won't work in this case since all internal hosts use RFC1918 addresses and are simply not reachable from the outside. Using RFC1918 internally saved us one hell of a lot of headaches (no, I don't want any Windows box be reachable from the outside, they are trojaned too easily).
blocking all ICMP is just plain wrong. it's vital to the proper function of IP.
<sigh> Yes, I preached this to several ''clever firewall administrators'' who believed that dropping _all_ ICMP at the border was a clever thing to do. They usually got bitten by things like path MTU discovery. Or had to wait for timeouts instead of getting unreachable ... you know the game. Regards, Alex. -- ------------------------------------------------------------------------------ EMail : als () thangorodrim de | WWW : http://www.thangorodrim.de/ If privacy is outlawed, only outlaws will have | Ceterum censeo Parva Mollia privacy. (Philip Zimmerman, author of PGP) | esse delendam.
Current thread:
- Re: Sudden increase in scans. Jason Lewis (Jul 21)
- Re: Sudden increase in scans. Berend De Schouwer (Jul 24)
- Re: Sudden increase in scans. Alexander Schreiber (Jul 24)
- Re: Sudden increase in scans. Jose Nazario (Jul 24)
- Re: Sudden increase in scans. Alexander Schreiber (Jul 25)
- Re: Sudden increase in scans. Jose Nazario (Jul 24)
- Re: Sudden increase in scans. Joe McAlerney (Jul 24)