nanog mailing list archives
Re: DoS, ICMP, proxies, SYNDefender
From: Tim Bass <bass () linux silkroad com>
Date: Fri, 4 Oct 1996 10:38:47 -0400 (EDT)
(Doing my usual reiteration thing) routers _cannot_ generate UNREACH for every host. Routers don't usually generate UNREACH for dead hosts on ethernet/FDDI (should they, anyway?). Routers cannot generate
Yes, it's understood what 'routers usually don't do' :-) Routers don't do a lot of thing they might. Confirming this and pointed out by another, Postal, RFC 793, points out this could be done as well (guess vendors just decided not to do it). IMO, we are seeing one example (of many) why this 'might always be done' independent of the SYN attacks discussion. There are lots of application protocols that could benefit from knowing the destination was UNREACHABLE with an ICMP control packet. Why would you NOT want to know about network errors, for example why shouldn't a non-defaulting router inform the originator that 0.0.0.4 is not routable? Or, why would you not want to be informed that a host is UNREACHABLE? Even during periods of route flap, it should be up to the protocol designer to decide how to set timers and respond to such errors, etc. This is an interesting issue, IMO. Application and protocol programmers would have more information to 'use as they choose' if ICMP UNREACHABLES were actually sent when destinations are unreachable and sent 'as a rule'. This, IMO, is a direct protocol issue, and not a security issue per se. Best Regards, Tim - - - - - - - - - - - - - - - - -
Current thread:
- Re: New Denial of Service Attack on Panix, (continued)
- Re: New Denial of Service Attack on Panix Tim Bass (Oct 02)
- Re: New Denial of Service Attack on Panix\ Avi Freedman (Oct 02)
- Re: New Denial of Service Attack on Panix\ Tim Bass (Oct 03)
- Re: New Denial of Service Attack on Panix\ Tim Bass (Oct 03)
- Re: New Denial of Service Attack on Panix\ Matt Zimmerman (Oct 03)
- Re: DoS, ICMP, proxies, SYNDefender Tim Bass (Oct 03)
- Re: DoS, ICMP, proxies, SYNDefender Perry E. Metzger (Oct 03)
- Re: DoS, ICMP, proxies, SYNDefender Tim Bass (Oct 03)
- Re: DoS, ICMP, proxies, SYNDefender Perry E. Metzger (Oct 03)
- Re: DoS, ICMP, proxies, SYNDefender Dima Volodin (Oct 04)
- Re: DoS, ICMP, proxies, SYNDefender Tim Bass (Oct 04)
- Re: DoS, ICMP, proxies, SYNDefender Michael Dillon (Oct 04)
- Re: DoS, ICMP, proxies, SYNDefender Tim Bass (Oct 04)
- Re: DoS, ICMP, proxies, SYNDefender Dima Volodin (Oct 04)
- Re: DoS, ICMP, proxies, SYNDefender Tim Bass (Oct 04)
- Re: DoS, ICMP, proxies, SYNDefender Avi Freedman (Oct 04)
- Re: DoS, ICMP, proxies, SYNDefender Michael Dillon (Oct 04)
- Re: DoS, ICMP, proxies, SYNDefender Tim Bass (Oct 04)
- Re: DoS, ICMP, proxies, SYNDefender Michael Dillon (Oct 04)
- Re: DoS, ICMP, proxies, SYNDefender Tim Bass (Oct 04)
- Re: DoS, ICMP, proxies, SYNDefender Michael Dillon (Oct 04)