RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

[James Kelly <jim () essistants com>]

Blocking/dropping from an undesirable ip isn't really going to effect
your trouble-shooting, since you shouldn't be accepting traffic from
there anyway.  No news is good news from the ip is good news? 

Jim

-----Original Message-----
From: Frederic Harster [mailto:f.harster () evc net] 
Sent: Monday, February 03, 2003 10:56 AM
To: Incidents Mailing List
Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80
with spoofed microsoft.com ip)

Hugo van der Kooij wrote:

> > Let's say that a router is configured (with ACLs) to deny packets from
> > 255.255.255.255 (that's why I noticed them). Then it sends back an
"ICMP
> > unreachable", doesn't it?
> > These ICMP packets try to travel to... 255.255.255.255! Would'n it
cause
> > a multiplying?
> > I know that a router/firewall may be configured to _not_ send "ICMP
> > unreachables" but default is to send them.
> >    
>
> The default behaviour for filtering must be to DROP the packets. This
is 
> standard in all known firewalls and should be considered common
knowledge.
> Some call this stealth mode.
>  
Although I  _could_  agree as far as a firewalls are concerned, I don't 
when it comes to routers.
Blocking/droping any ICMP packet usually turns into a real nightmare 
when you've to perform troubleshooting on a wide network.

my 0,02... and common pratice.
Fred

>  


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com