RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)

[Tom Arseneault <TArseneault () counterpane com>]

The RFC's also state that you don't send ICMP messages in responce to other
ICMP messages (at least as far as error messages go, you don't send a host
unreachable message in response to an echo packet, though you would send a
echo reply).

Tom Arseneault
Security Engineer
Counterpane Internet Security.
"All humans are born Right-Handed...but the great ones overcome it."
 

-----Original Message-----
From: Tomasz Papszun [mailto:tomek-incid () lodz tpsa pl]
Sent: Friday, January 31, 2003 12:11 PM
To: Peter Triller
Cc: incidents () securityfocus com
Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80
with spoofed microsoft.com ip)

<===SNIP===>

These ICMP packets try to travel to... 255.255.255.255! Would'n it cause
a multiplying?
I know that a router/firewall may be configured to _not_ send "ICMP
unreachables" but default is to send them.

BTW, I seem to remember that _not_ sending "ICMP unreachables" is
somehow against RFC...  Of course security reasons for not sending them
may be important (e.g. for hiding some network devices) but
_formally_... it's a little not good :-) .

<===SNIP===>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com