[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Network Goes on Holiday

To: "Sheflug" <sheflug [at] vuw.ac.nz>
Subject: Re: [Sheflug] Re: Network Goes on Holiday
From: "Stephen J. Turnbull" <nospam [at] sk.tsukuba.ac.jp>
Date: Mon, 26 Jun 2000 12:31:01 +0900 (JST)
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: sheflug-bounce [at] vuw.ac.nz

>>>>> "Chris" == Chris J/#6 <sixie [at] nccnet.co.uk> writes:

    >> blocking all ICMP can be a bad thing as it can potentially mean
    >> packets get lost, dropped, or corrupted due to router config
    >> ... hint: don't block ICMP - Destination Unreachable :)

    Chris> [...]

    Chris> "The web sites are probably behind a firewall which is
    Chris> filtering all ICMP packets (since some dumb firewall
    Chris> administrator read somewhere that all ICMP packets are
    Chris> evil).

That's unfair.  The problem is that whereas with connection-oriented
TCP you can authenticate, it's in principle impossible to authenticate
ICMP (or UDP for that matter).  OTOH, if you are willing to implement
the reliability features you need yourself, it is perfectly possible
to use UDP and ICMP packages to communicate.  Communicating control
information via ICMP is exactly what distributed DoS packages like TFN
and trin00 do.  You're left with no way to distinguish evil ICMP from
benign.  Not even through the ICMP function field.

A really paranoid firewall will (and should) block ICMP too.  The
problem is that "dumb firewall admins" who don't understand what
they're doing will pick the strictest policies that don't raise a
ruckus with their users.  Since few users understand ICMP....

A typical example is my own University.  They block all incoming ICMP
(but not outgoing) and nearly all UDP in both directions (only DNS to
DNS is allowed).  But they permit unaudited machines to run
practically any of the complex TCP servers (including telnet or the
r-services, you just have to run them on a different port because the
telnet and rsh ports are blocked---this is of course a violation of
the spirit of the policy, but nowhere is it stated that you're not
allowed to do this).  So they've effectively launched a DoS attack on
their own users without hindering even moderately adept script
kiddies.  :-(

The head of the institute computer committee has threatened mayhem if
I go to the University committee with complaints myself, but as far as
I can tell he hasn't passed them on, either.  :-(

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

References:
- Re: [Sheflug] Re: Network Goes on Holiday
  - From: "Chris J/#6" <sixie [at] nccnet.co.uk>
- Re: [Sheflug] Re: Network Goes on Holiday
  - From: "Chris J/#6" <sixie [at] nccnet.co.uk>

Prev by Date: Re: [Sheflug] Re: Network Goes on Holiday
Next by Date: [Sheflug] Re: Are we back yet?
Prev by thread: Re: [Sheflug] Re: Network Goes on Holiday
Next by thread: Re: [Sheflug] Re: Network Goes on Holiday
Index(es):
- Date
- Thread