Re: Stealthing

From: Sebastian Gottschalk <seppi@xxxxxxxxx>
Date: Wed, 14 Jun 2006 16:49:19 +0200

Walter Roberson wrote:

There are no security features in icmp, and in particular there
is no authentication that an ICMP ECHO packet comes from the IP
that it claims to come from. If a terminal firewall or router
responds to ICMP ECHO requests directed to non-existant systems with
ICMP UNREACHABLE packets (of whatever subtype), then that firewall
or router makes a nifty contribution to DDoS (Distributed Denial
of Service) attacks.

Why? How?

Furthermore, it takes resources on the security gateway to
ARP for the destination, hold that status until a timeout, and then
create an ICMP UNREACHABLE packet. If the security gateway has a
heavy load -- normal traffic or just a lot of random probes or a DoS
or DDoS attack -- then responding can be an unaffordable drain on
resources.

That's why rate limits are good for!

For these reasons, -many- security gateways are set to NOT respond
to ICMP ECHO, and NOT respond to TCP or UDP packets that do not
match the local security policy.

Fine, but routers at your ISP are not primarily security gateways.
.

Follow-Ups:
- Re: Stealthing
  - From: Walter Roberson

References:
- Stealthing
  - From: B . Nice
- Re: Stealthing
  - From: Walter Roberson
- Re: Stealthing
  - From: Sebastian Gottschalk
- Re: Stealthing
  - From: Walter Roberson

Prev by Date: Re: how to log access to important files
Next by Date: Strange logon attempts
Previous by thread: Re: Stealthing
Next by thread: Re: Stealthing
Index(es):
- Date
- Thread

Relevant Pages

Re: UPNP/SSDP
... otherwise it's just a glorified packet filter with a set of rules. ... neither a NAT nor a router are referred to as packet filters. ... a NAT router for broadband internet does not do this, ... router to route traffic b/w two or more private networks and the internet. ...
(microsoft.public.windowsxp.general)
Re: Nmap questions concering my router
... has only one interface, ... as having a chunk of space in the computer much like a hotel room. ... >is) directly connected to my router, which i dont set up a NAT yet. ... Which IP address is the packet addressed to? ...
(comp.security.firewalls)
Re: IIS5 Passive FTP Networking problem (long)
... or do away with the router entirely (and the hardware based ... > had the ability to run an FTP server behind it without changing the IP ... The NAT changes the PASV response ... translate the address fields of a packet. ...
(microsoft.public.inetserver.iis.security)
Re: MSS on router, why?
... The proper way to describe the ICMP packet which is supposed to be ... returned by a router which cannot forward the IP packet which is too ... Because ICMP was defined before Path MTU Discovery (1981 and 1990 ... fragmentation and try to use path MTU discovery, ...
(comp.dcom.sys.cisco)
Re: Nmap questions concering my router
... Ah, but the packet is being sent to an application running on the router, ... not the web server on your LAN. ... we separate LAN from LAN as well as ...
(comp.security.firewalls)