RE: TCP/IP Stack Hardening

From: dave kleiman (dave_at_isecureu.com)
Date: 12/23/03

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #168"
    To: <focus-ms@securityfocus.com>
    Date: Mon, 22 Dec 2003 23:37:22 -0500
    
    

    Yes sir agreed on the segment and routing, that is why I said the thing
    about the DMZ zones in both my posts.

    But what happens is if ICMP redirect is disabled, ( DO NOT ASK ME WHY BUT
    TEST IT ) and PMTU Discovery is on it keeps the redirect in the routing
    table.
    Yes it keeps it permanently!!!!!!!!! This was back a while when we tested
    this.

    Actually think we found this by accident when we where trying to figure out
    why it was still working with it on.

    There was also a certain combination of the "deadgateway" settings.

    I will see if I can find the KB we eventually located about it. Of course I
    would not say that some service-pack/hot-fix has not "corrected" this
    problem.

     
    _______________________________
    Dave Kleiman, CISSP, MCSE, CIFI
    www.SecurityBreachResponse.com

    "High achievement always takes place in the framework of high expectation."
    Jack Kinder

     

    -----Original Message-----
    From: Frank Knobbe [mailto:frank@knobbe.us]
    Sent: Monday, December 22, 2003 23:21
    To: dave kleiman
    Cc: focus-ms@securityfocus.com; 'Hoffmann, Aran'
    Subject: RE: TCP/IP Stack Hardening

    On Mon, 2003-12-22 at 18:31, dave kleiman wrote:
    > That statement is somewhat correct. PMTU discovery only affects
    > packets outside your local subnet, therefore "should" not affect your
    > internal network performance.

    Yes, as you (and others have stated), packets to the local subnet are still
    sent with the MTU of that adapter. Perhaps I'm so use to having systems in
    firewalls segments and other setups that require routing that this fact just
    didn't seem important anymore. For most situations where you harden systems,
    you do it for the purpose of securing the system from outside access,
    meaning that packets are routed.

    > Secondly if you set the PMTU Discovery to 0, and a host route is added
    > to the Windows 2000 routing table via an ICMP redirect from the
    > default gateway, that host route will not be removed.
    >
    > So, by NOT following your recommendation for PMTU Discovery, you
    > inadvertently fix your problem caused by NO ICMP redirect.

    I'm not sure I'm following you here. Without ICMP Redirect enabled, Windows
    will not update its routing table when it receives these ICMP packets. With
    it enabled, it will update the routing table with a route to the target for
    a certain amount of time. Are you saying that by setting PMTU discovery to
    0, you cause Windows to retain these routes permanently? Ouch... that might
    make for a nice DoS by overflowing/saturating the routing table... :)

    Cheers,
    Frank

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #168"

    Relevant Pages

    • RE: TCP/IP Stack Hardening
      ... Yes, as you, packets to the local subnet are ... > the Windows 2000 routing table via an ICMP redirect from the default ... > So, by NOT following your recommendation for PMTU Discovery, you ... > inadvertently fix your problem caused by NO ICMP redirect. ...
      (Focus-Microsoft)
    • Re: Could an ICMP Redirect have disconnected my server?
      ... yes - but you seem to have a strange network ... does a routing table entry from an ICMP Redirect time out? ... systems with the same subnet number. ...
      (comp.os.linux.networking)
    • Re: Possible? with SBS2003
      ... You would have to add both your lan segments to the lan routing table. ... why this segment for such a small group ... > setup I then enable the LAN2 and the relevant RRAS routing. ...
      (microsoft.public.windows.server.sbs)
    • Routing 2 Segments on LAN?
      ... I have a Windows SBS 2003 server with 2 NICS: ... with a 192.168.1.x segment and the other is 192.168.2x segment. ... Aside from enabling Routing and Remote Access (which I had previously done ...
      (microsoft.public.windows.server.sbs)
    • Re: Routing between 2 Class of IP Networks.
      ... if not post the result of server ipconfig ... Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on ... > Want a host in 192 segment to talk to another host in 10 ...
      (microsoft.public.win2000.ras_routing)