Re: Stealthing

In article <4f9m48F1i2v68U2@xxxxxxxxxxxxxx>,
Sebastian Gottschalk <seppi@xxxxxxxxx> wrote:
Walter Roberson wrote:

- no response if the last router (or firewall) in the chain has been set
to not return icmp responses for unavailable devices [this is
fairly common]

Better said: This is fairly uncommon except at some very lousy big ISPs
(like AOL) and creates various types of problems.

It's opposite creates "various types of problems" as well.

There are no security features in icmp, and in particular there
is no authentication that an ICMP ECHO packet comes from the IP
that it claims to come from. If a terminal firewall or router
responds to ICMP ECHO requests directed to non-existant systems with
ICMP UNREACHABLE packets (of whatever subtype), then that firewall
or router makes a nifty contribution to DDoS (Distributed Denial
of Service) attacks.

Furthermore, it takes resources on the security gateway to
ARP for the destination, hold that status until a timeout, and then
create an ICMP UNREACHABLE packet. If the security gateway has a
heavy load -- normal traffic or just a lot of random probes or a DoS
or DDoS attack -- then responding can be an unaffordable drain on
resources.

For these reasons, -many- security gateways are set to NOT respond
to ICMP ECHO, and NOT respond to TCP or UDP packets that do not
match the local security policy. It is most definitely not
just "some very lousy big ISPs" that do this.
.