RE: TCP/IP Stack Hardening
From: dave kleiman (dave_at_isecureu.com)
Date: 12/23/03
- Previous message: Frank Knobbe: "RE: TCP/IP Stack Hardening"
- In reply to: Frank Knobbe: "RE: TCP/IP Stack Hardening"
- Next in thread: dave kleiman: "RE: TCP/IP Stack Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <focus-ms@securityfocus.com> Date: Mon, 22 Dec 2003 23:37:22 -0500
Yes sir agreed on the segment and routing, that is why I said the thing
about the DMZ zones in both my posts.
But what happens is if ICMP redirect is disabled, ( DO NOT ASK ME WHY BUT
TEST IT ) and PMTU Discovery is on it keeps the redirect in the routing
table.
Yes it keeps it permanently!!!!!!!!! This was back a while when we tested
this.
Actually think we found this by accident when we where trying to figure out
why it was still working with it on.
There was also a certain combination of the "deadgateway" settings.
I will see if I can find the KB we eventually located about it. Of course I
would not say that some service-pack/hot-fix has not "corrected" this
problem.
_______________________________
Dave Kleiman, CISSP, MCSE, CIFI
www.SecurityBreachResponse.com
"High achievement always takes place in the framework of high expectation."
Jack Kinder
-----Original Message-----
From: Frank Knobbe [mailto:frank@knobbe.us]
Sent: Monday, December 22, 2003 23:21
To: dave kleiman
Cc: focus-ms@securityfocus.com; 'Hoffmann, Aran'
Subject: RE: TCP/IP Stack Hardening
On Mon, 2003-12-22 at 18:31, dave kleiman wrote:
> That statement is somewhat correct. PMTU discovery only affects
> packets outside your local subnet, therefore "should" not affect your
> internal network performance.
Yes, as you (and others have stated), packets to the local subnet are still
sent with the MTU of that adapter. Perhaps I'm so use to having systems in
firewalls segments and other setups that require routing that this fact just
didn't seem important anymore. For most situations where you harden systems,
you do it for the purpose of securing the system from outside access,
meaning that packets are routed.
> Secondly if you set the PMTU Discovery to 0, and a host route is added
> to the Windows 2000 routing table via an ICMP redirect from the
> default gateway, that host route will not be removed.
>
> So, by NOT following your recommendation for PMTU Discovery, you
> inadvertently fix your problem caused by NO ICMP redirect.
I'm not sure I'm following you here. Without ICMP Redirect enabled, Windows
will not update its routing table when it receives these ICMP packets. With
it enabled, it will update the routing table with a route to the target for
a certain amount of time. Are you saying that by setting PMTU discovery to
0, you cause Windows to retain these routes permanently? Ouch... that might
make for a nice DoS by overflowing/saturating the routing table... :)
Cheers,
Frank
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Frank Knobbe: "RE: TCP/IP Stack Hardening"
- In reply to: Frank Knobbe: "RE: TCP/IP Stack Hardening"
- Next in thread: dave kleiman: "RE: TCP/IP Stack Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
