Re: Survive without ICMP?
From: Vogulus (nospam_at_nospam.com)
Date: Thu, 20 May 2004 20:13:20 GMT
Purl Gurl <email@example.com> wrote in
> Stalks wrote:
>> Purl Gurl wrote:
> (lots snipped)
>> > Our system does respond to Port 0 and does send ICMP packets.
>> What is your system? and do all ICMP rules apply to port 0 on this
> Stalks, after reading so many articles on this, here and
> on the internet, I do not have a clue. Everything "assumed"
> has been tossed out my window, along with the wash and baby.
> Actually I was more tempted to toss my girl out a window
> when she became a teenager, but she is past that although
> I remain a teenager, and she is now the mother.
> Stalks, just briefly, we are fed a T1 broadband connection,
> an Orion modem, Linksys programmable router, three machines
> on our LAN, each a highly modified WIN32 system (Not NT)
> with Apache, a dns server and and an email server. Apache
> is on one machine. DNS and Email on another, supporting
> programs for my cgi applications, mostly databases, on
> the final machine.
> This week, I will be plugging in a Netscreen appliance and
> linking it to SNORT. This will sit between our modem
> and our router. That should really add some surprises!
> Seems a fairly typical system. I am leaning towards the
> Linksys router responding to port 0 requests. However,
> a timestamp ICMP did make it through to our hack testing.
> This suggests at least one of our machines responding
> to a port 0 probe with an ICMP packet. Might be our
> router stripped the port 0 reference allowing an ICMP
> request to be a multicast non-port specific request.
> However, one of our servers, either DNS or email, has
> a port 0 security feature, don't remember which. I will
> take a look later, although I think it is the DNS server.
> On Linksys responding, I believe this is the origin of
> the ICMP packet for a netmask. This makes sense because
> our router is netmasked for a single ip address on
> the T1 WAN system. Our internal LAN netmasking is
> multiple addresses, and this did not show in probes.
> To add confusion, each machine is netmasked for
> a single ip address (255.255.255.0) which may
> also be the port 0 ICMP reponse.
> Hack probes for port 0 did yield ICMP packets.
> Your guess is good as any, Stalks. I have been rendered
> literally clueless on this.
>> May the ping be with you ....
> I told you to stop that!
> Purl Gurl
Is it your goal to troll the internet pulling statements out of your
I wish you'd get back to day trading... or running the casino. Whatever