Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Meritt James (meritt_james@bah.com)
Date: 02/05/03

  • Next message: Andy Bastien: "email address probes"
    Date: Wed, 05 Feb 2003 09:35:44 -0500
    From: "Meritt James" <meritt_james@bah.com>
    To: Christian Vogel <chris@obelix.hedonism.cx>
    
    

    I thought it was very useful in finding out remote routes... And we
    will not even TALK about firewalking!

    ;-)

    Jim

    Christian Vogel wrote:
    >
    > Hi Frederic,
    >
    > > Although I _could_ agree as far as a firewalls are concerned, I don't
    > > when it comes to routers.
    > > Blocking/droping any ICMP packet usually turns into a real nightmare
    > > when you've to perform troubleshooting on a wide network.
    >
    > Please don't spread the word that ICMP only is for troubleshooting
    > networks. ICMP has it's uses beside "PING", the most important one
    > being "Path-MTU-Discovery" which will break when filtering all
    > ICMP packets! [1]
    >
    > There is a really frightening number of clueless admins which misconfigure
    > their firewalls this way!

    -- 
    James W. Meritt CISSP, CISA
    Booz | Allen | Hamilton
    phone: (410) 684-6566
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    


    Relevant Pages

    • Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
      ... > Blocking/droping any ICMP packet usually turns into a real nightmare ... > when you've to perform troubleshooting on a wide network. ... Please don't spread the word that ICMP only is for troubleshooting ...
      (Incidents)
    • Re: Site configuration for remote offices
      ... Network issues were the problem. ... it sends a ICMP packet that is larger than 1024. ... >> I ran gpresult against one of the remote workstations and received this ... >> I've doubled checked the DNS settings and they are correct. ...
      (microsoft.public.windows.server.active_directory)
    • Re: [Full-Disclosure] ICMP Covert channels question
      ... > time frame within with your icmp packet would be delivered because the ... > firewall is still translating the address/port for that session. ... arrives at routers wan port with a source ip of an internal host will ... is make it send packets to a bounce server outsede the network, ...
      (Full-Disclosure)