Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Meritt James (meritt_james@bah.com)
Date: 02/05/03

Next message: Andy Bastien: "email address probes"

Previous message: Fitzgerald, John: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)"
In reply to: Christian Vogel: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Geert Kiers: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 05 Feb 2003 09:35:44 -0500
From: "Meritt James" <meritt_james@bah.com>
To: Christian Vogel <chris@obelix.hedonism.cx>

I thought it was very useful in finding out remote routes... And we
will not even TALK about firewalking!

;-)

Jim

Christian Vogel wrote:
>
> Hi Frederic,
>
> > Although I _could_ agree as far as a firewalls are concerned, I don't
> > when it comes to routers.
> > Blocking/droping any ICMP packet usually turns into a real nightmare
> > when you've to perform troubleshooting on a wide network.
>
> Please don't spread the word that ICMP only is for troubleshooting
> networks. ICMP has it's uses beside "PING", the most important one
> being "Path-MTU-Discovery" which will break when filtering all
> ICMP packets! [1]
>
> There is a really frightening number of clueless admins which misconfigure
> their firewalls this way!

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Andy Bastien: "email address probes"
Previous message: Fitzgerald, John: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)"
In reply to: Christian Vogel: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Geert Kiers: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
... > Blocking/droping any ICMP packet usually turns into a real nightmare ... > when you've to perform troubleshooting on a wide network. ... Please don't spread the word that ICMP only is for troubleshooting ...
(Incidents)
Re: Site configuration for remote offices
... Network issues were the problem. ... it sends a ICMP packet that is larger than 1024. ... >> I ran gpresult against one of the remote workstations and received this ... >> I've doubled checked the DNS settings and they are correct. ...
(microsoft.public.windows.server.active_directory)
Re: [Full-Disclosure] ICMP Covert channels question
... > time frame within with your icmp packet would be delivered because the ... > firewall is still translating the address/port for that session. ... arrives at routers wan port with a source ip of an internal host will ... is make it send packets to a bounce server outsede the network, ...
(Full-Disclosure)