Security Incidents mailing list archives
RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
From: James Kelly <jim () essistants com>
Date: Tue, 04 Feb 2003 13:26:56 -0500
Blocking/dropping from an undesirable ip isn't really going to effect your trouble-shooting, since you shouldn't be accepting traffic from there anyway. No news is good news from the ip is good news? Jim -----Original Message----- From: Frederic Harster [mailto:f.harster () evc net] Sent: Monday, February 03, 2003 10:56 AM To: Incidents Mailing List Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Hugo van der Kooij wrote:
Let's say that a router is configured (with ACLs) to deny packets from 255.255.255.255 (that's why I noticed them). Then it sends back an
"ICMP
unreachable", doesn't it? These ICMP packets try to travel to... 255.255.255.255! Would'n it
cause
a multiplying? I know that a router/firewall may be configured to _not_ send "ICMP unreachables" but default is to send them.The default behaviour for filtering must be to DROP the packets. This
is
standard in all known firewalls and should be considered common
knowledge.
Some call this stealth mode.
Although I _could_ agree as far as a firewalls are concerned, I don't when it comes to routers. Blocking/droping any ICMP packet usually turns into a real nightmare when you've to perform troubleshooting on a wide network. my 0,02... and common pratice. Fred
------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) David Gillett (Feb 02)
- <Possible follow-ups>
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Joel Tyson (Feb 03)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Valdis . Kletnieks (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Hugo van der Kooij (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Frederic Harster (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Christian Vogel (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Meritt James (Feb 05)
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) James Kelly (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Frederic Harster (Feb 05)