Re: Sudden increase in scans.

[Alexander Schreiber <Alexander.Schreiber () INFORMATIK TU-CHEMNITZ DE>]

Hi !

On Mon, 24 Jul 2000, Jose Nazario wrote:

> On Mon, 24 Jul 2000, Alexander Schreiber wrote:
>
> > But you could stop the kiddies from using ICMP to map out your network
> > by blocking:
> >  - incoming ICMP echo-request (ping)
> >  - outgoing ICMP echo-reply (pong)
>
> you may also want to block ICMP-PORT-UNREACHABLEs to break firewalk. see
> the paper at packetfactory.net for the situation.

Yes, I know Firewalking (read the paper quite some time ago). Interesting
technique. But it won't work in this case since all internal hosts use
RFC1918 addresses and are simply not reachable from the outside. Using
RFC1918 internally saved us one hell of a lot of headaches (no, I don't
want any Windows box be reachable from the outside, they are trojaned too
easily).

> blocking all ICMP is just plain wrong. it's vital to the proper function
> of IP.

<sigh>

Yes, I preached this to several ''clever firewall administrators''
who believed that dropping _all_ ICMP at the border was a clever thing to
do. They usually got bitten by things like path MTU discovery. Or had to
wait for timeouts instead of getting unreachable ... you know the game.

Regards,
       Alex.

--
------------------------------------------------------------------------------
 EMail : als () thangorodrim de              | WWW : http://www.thangorodrim.de/
 If privacy is outlawed, only outlaws will have | Ceterum censeo Parva Mollia
 privacy. (Philip Zimmerman, author of PGP)     | esse delendam.