Re: highly secure live CD distro

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 02/23/05


Date: Wed, 23 Feb 2005 14:37:27 -0600

In article <slrnd1mfpv.b5d.zawrotny@localhost.localdomain>,
Michael Zawrotny wrote:

>If you REJECT, that requires sending an ICMP destination unreachable
>packet (see http://www.iana.org/assignments/icmp-parameters for
>type and sub-type numbers). This can eat up your bandwidth on a slow
>connection. DROPing saves the outgoing packets, but is not compliant
>with the various RFCs, and therefore technically results in a host
>with "broken" networking.

It also triples the amount of wasted inbound packets. TCP/IP works on
making an unreliable connection reliable. It does this by retrying to send
packets that appear to have fallen through the cracks in the cloud.

>If you have control of the upstream firewall (which I assume
>the OP did not), I would recommend blocking at the firewall with
>an ICMP host-unreachable (type 3/1), which makes it look like the
>host is turned off.

Agreed.

>That's not as practical for a single host, since the ICMP return packet
>will have the allegedly unreachable host as the source address.

I've heard that some consumer grade firewalls (read windoze personal garbage)
have suggested sending a 3/1 back as a smoke screen. This neglects the rather
obvious fact that the source address in the ICMP packet is the original
destination... but no one would notice that, right? ;-)

>That is why I suggested DROP for the OP. For a different situation, I
>would have said REJECT.

Some windoze worms try a ping (ICMP 8) first, to see if the host is up
before they try to connect via TCP. However, this may just be one of the
thousands of different windoze worm kits.

        Old guy



Relevant Pages

  • Missrouted - once more - what happens?
    ... i would like to explain; host is connectied directly to ... on a single modem connection. ... packets that _shouldnt arrive_ on my host, ... Alberta is the Canadian university. ...
    (Incidents)
  • Re: Question about flow control over ethernet with TCP
    ... tell the other host to slow down its number of packets transmitted per ... When the TCP connection is created, both computers do not know how ... So the Host A send the first packets to host B. ...
    (comp.os.linux.networking)
  • Re: Do I Have A Firewalled LAN Run By ISP In Between?
    ... from that host while at host ... running a layer within a layer, with a complex network address translation ... application called "Internet Connection Sharing". ... what those packets are for, ...
    (comp.security.firewalls)
  • Re: MiM Simultaneous close attack
    ... Subject: MiM Simultaneous close attack ... So the packets(dst mac is gg:gg) will goto port3 correctly.(If the same mac presents in two ports,the packets ... >> 2 TCP packets per connection. ... >> to source host and destination host of an active ...
    (Vuln-Dev)
  • Re: IP over RS232 serial port under QNX6 (devn-fd.so)
    ... Now i can 'ping' and receive correct answers from the remote host. ... Now i want to setup the TCP/IP stack on top of the serial port. ... When i 'ping' to the destination endpoint 10.0.0.185 from the source ... These packets were correct ARP-Broadcasts ...
    (comp.os.qnx)