Security Incidents mailing list archives
RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)
From: Tom Arseneault <TArseneault () counterpane com>
Date: Mon, 3 Feb 2003 11:22:36 -0800
The RFC's also state that you don't send ICMP messages in responce to other ICMP messages (at least as far as error messages go, you don't send a host unreachable message in response to an echo packet, though you would send a echo reply). Tom Arseneault Security Engineer Counterpane Internet Security. "All humans are born Right-Handed...but the great ones overcome it." -----Original Message----- From: Tomasz Papszun [mailto:tomek-incid () lodz tpsa pl] Sent: Friday, January 31, 2003 12:11 PM To: Peter Triller Cc: incidents () securityfocus com Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) <===SNIP===> These ICMP packets try to travel to... 255.255.255.255! Would'n it cause a multiplying? I know that a router/firewall may be configured to _not_ send "ICMP unreachables" but default is to send them. BTW, I seem to remember that _not_ sending "ICMP unreachables" is somehow against RFC... Of course security reasons for not sending them may be important (e.g. for hiding some network devices) but _formally_... it's a little not good :-) . <===SNIP===> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip) Tom Arseneault (Feb 05)
- <Possible follow-ups>
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip) Fitzgerald, John (Feb 05)
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip) Fitzgerald, John (Feb 05)