lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7568.198.162.158.16.1121206114.squirrel@65.61.200.197>
Date: Tue Jul 12 23:09:56 2005
From: eric at arcticbears.com (Eric Paynter)
Subject: ICMP Security Vulnerabilities - NEW (cough)

On Tue, July 12, 2005 2:42 pm, Vic Vandal said:
> 3)
[...]
>   I will acknowledge that the first "widely published" discussion
>   on the exact topic of ICMP filtering was "probably" in the 1995
>   release of "Building Internet Firewalls" (by Chapman and Zwicky).
>   I had the book in my desk back then, but left it behind when I
>   left the organization that paid for it.  IF I still had it, I'd
>   gladly quote it directly to verify the exact verbiage/discussion
>   of the topic therein.

I just happen to have "Building Internet Firewalls" on my desk, 2nd
Edition published in 2000, I guess updated since your version. Although
there is a whole chapter on ICMP filtering, the basic advice for source
quench is to allow it, so this particular source still didn't know about
the problems in 2000. The only relevant quotes I could find were in
Chapter 22:

"The other ICMP message types you probably want to allow, both inbound and
outbound, are 'source quench' (used by a receiver to tell a sender to
'slow down' because it's sending data too fast) and 'parameter
problem'..." p 652

"In general, you want to allow ICMP outbound only when it has the chance
of doing you some good. Both 'source quench' and 'parameter problem' are
used to get the sending host to be nicer to you and are worth allowing
outbound." p 653

And in a summary table for ICMP, under "Permit/Deny", next to "Message
Type 4",  it says "Should usually be allowed in both directions." p 654

-Eric

--
arctic bears - email and dns services
http://www.arcticbears.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ