Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Frederic Harster <f.harster () evc net>
Date: Mon, 03 Feb 2003 16:56:23 +0100
Hugo van der Kooij wrote:


Let's say that a router is configured (with ACLs) to deny packets from
255.255.255.255 (that's why I noticed them). Then it sends back an "ICMP
unreachable", doesn't it?
These ICMP packets try to travel to... 255.255.255.255! Would'n it cause
a multiplying?
I know that a router/firewall may be configured to _not_ send "ICMP
unreachables" but default is to send them.
The default behaviour for filtering must be to DROP the packets. This is standard in all known firewalls and should be considered common knowledge. 

Some call this stealth mode.
Although I _could_ agree as far as a firewalls are concerned, I don't when it comes to routers. Blocking/droping any ICMP packet usually turns into a real nightmare when you've to perform troubleshooting on a wide network. 

my 0,02... and common pratice.
Fred




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: