Re: highly secure live CD distro

From: Michael Zawrotny (zawrotny_at_sb.fsu.edu)
Date: 02/23/05


Date: 23 Feb 2005 22:01:30 GMT

Moe Trin <ibuprofin@painkiller.example.tld> wrote:
> Michael Zawrotny wrote:
>

> >DROPing saves the outgoing packets, but is not compliant with the
> >various RFCs, and therefore technically results in a host with
> >"broken" networking.
>
> It also triples the amount of wasted inbound packets. TCP/IP works
> on making an unreliable connection reliable. It does this by
> retrying to send packets that appear to have fallen through the
> cracks in the cloud.

Good point, I hadn't thought of that. On the other hand how much
unsolicited incoming traffic should a home user expect?

I don't know how the worms or exploit kits work, but I just tried
a single port (without ping) nmap run from my workstation to my
laptop (nmap -P0 -p 22 laptop) and tcpdump only reported two SYN
packets sent. So for nmap at least, it's a toss-up: one incoming and
one outgoing icmp versus two incoming.

> I've heard that some consumer grade firewalls (read windoze personal garbage)
> have suggested sending a 3/1 back as a smoke screen. This neglects the rather
> obvious fact that the source address in the ICMP packet is the original
> destination... but no one would notice that, right? ;-)

Nobody but us I guess.

> >That is why I suggested DROP for the OP. For a different situation, I
> >would have said REJECT.
>
> Some windoze worms try a ping (ICMP 8) first, to see if the host is up
> before they try to connect via TCP. However, this may just be one of the
> thousands of different windoze worm kits.

Right, but the question then becomes whether or not the worm skips
non-pingable hosts. If it skips them, there is no additional cost
in dropping ping packets. If you don't want to be pinged you can't
send a host-unreachable as we agreed above (unless you are upstream).

Mike

-- 
Michael Zawrotny
Institute of Molecular Biophysics
Florida State University                | email:  zawrotny@sb.fsu.edu
Tallahassee, FL 32306-4380              | phone:  (850) 644-0069


Relevant Pages

  • Re: Tracking source of ICMP packet
    ... But Nachia is a Windows related worm. ... my AIX host. ... difficult time correlating the packets to the original process. ...
    (AIX-L)
  • Re: Do I Have A Firewalled LAN Run By ISP In Between?
    ... from that host while at host ... running a layer within a layer, with a complex network address translation ... application called "Internet Connection Sharing". ... what those packets are for, ...
    (comp.security.firewalls)
  • Re: IP over RS232 serial port under QNX6 (devn-fd.so)
    ... Now i can 'ping' and receive correct answers from the remote host. ... Now i want to setup the TCP/IP stack on top of the serial port. ... When i 'ping' to the destination endpoint 10.0.0.185 from the source ... These packets were correct ARP-Broadcasts ...
    (comp.os.qnx)
  • Re: Duplicate Echo Replies with Channel Bonding
    ... In this mode both interfaces receive packets, ... >When both eth0 and eth1 are up and I ping from Host C to Host A I get ... >The destination network 192.168.120.0/24 exists on both Router A and ... Switch B does not have the MAC address in its MAC address table ...
    (RedHat)
  • Re: Ip spoof from 0.0.0.0
    ... - A passive spoofed portscan with the attacker on the local ... segment watching the response packets go out to the default ... If a host responds to the syn packet sourced from 0.0.0.0 with an ack, ... it goes to the router either with the destination IP address rewritten ...
    (Incidents)