firewallspotting

[Robert Brockway]

On Mon, 3 Jan 2005, Ilya Palagin wrote:

> Source quench, for instance, can be a used for a an effective DoS attack.

You still need to guess the TCP sequence number to Source Quench a TCP
stream.  If you want to Source Quench many streams you must guess many 
sequence numbers.  If an attacker can guess sequences numbers all sorts of 
evil is possible.

I just found this:

RFC 1009 (gateway requirements):

          All gateways must contain code for sending ICMP Source Quench
          messages when they are forced to drop IP datagrams due to
          congestion. Although the Source Quench mechanism is known to
          be an imperfect means for Internet congestion control, and
          research towards more effective means is in progress, Source
          Quench is considered to be too valuable to omit from production
          gateways.

> Blocking ICMP traffic through the firewall is one of common security

But we can be very selective about what ICMP types we want to block (as 
noted in the discussion so far).  It really does suck to block certain 
ICMP types - eg, icmp-destination-unreachable.  Sending machines get 
insufficient information back about the hosts they are trying to connect 
to.  This results in mail delays, problems debugging network issues, and 
lots of other fun.

Cheers,
 	Rob

-- 
Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Phone: 416-669-3073 Email: rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml