Re: highly secure live CD distro

From: Michael Zawrotny (
Date: 02/23/05

Date: 23 Feb 2005 22:01:30 GMT

Moe Trin <ibuprofin@painkiller.example.tld> wrote:
> Michael Zawrotny wrote:

> >DROPing saves the outgoing packets, but is not compliant with the
> >various RFCs, and therefore technically results in a host with
> >"broken" networking.
> It also triples the amount of wasted inbound packets. TCP/IP works
> on making an unreliable connection reliable. It does this by
> retrying to send packets that appear to have fallen through the
> cracks in the cloud.

Good point, I hadn't thought of that. On the other hand how much
unsolicited incoming traffic should a home user expect?

I don't know how the worms or exploit kits work, but I just tried
a single port (without ping) nmap run from my workstation to my
laptop (nmap -P0 -p 22 laptop) and tcpdump only reported two SYN
packets sent. So for nmap at least, it's a toss-up: one incoming and
one outgoing icmp versus two incoming.

> I've heard that some consumer grade firewalls (read windoze personal garbage)
> have suggested sending a 3/1 back as a smoke screen. This neglects the rather
> obvious fact that the source address in the ICMP packet is the original
> destination... but no one would notice that, right? ;-)

Nobody but us I guess.

> >That is why I suggested DROP for the OP. For a different situation, I
> >would have said REJECT.
> Some windoze worms try a ping (ICMP 8) first, to see if the host is up
> before they try to connect via TCP. However, this may just be one of the
> thousands of different windoze worm kits.

Right, but the question then becomes whether or not the worm skips
non-pingable hosts. If it skips them, there is no additional cost
in dropping ping packets. If you don't want to be pinged you can't
send a host-unreachable as we agreed above (unless you are upstream).


Michael Zawrotny
Institute of Molecular Biophysics
Florida State University                | email:
Tallahassee, FL 32306-4380              | phone:  (850) 644-0069