From owner-freebsd-hackers  Sat Nov 18  6:54:50 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97])
	by hub.freebsd.org (Postfix) with ESMTP id 1D84B37B479
	for <hackers@FreeBSD.ORG>; Sat, 18 Nov 2000 06:54:48 -0800 (PST)
Received: by freesbee.wheel.dk (Postfix, from userid 1001)
	id BCE1B3E5B; Sat, 18 Nov 2000 15:54:46 +0100 (CET)
Date: Sat, 18 Nov 2000 15:54:46 +0100
From: Jesper Skriver <jesper@skriver.dk>
To: Alfred Perlstein <bright@wintelcom.net>
Cc: hackers@FreeBSD.ORG
Subject: Re: React to ICMP administratively prohibited ?
Message-ID: <20001118155446.A81075@skriver.dk>
References: <20001117211013.C9227@skriver.dk> <20001117142904.T18037@fw.wintelcom.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20001117142904.T18037@fw.wintelcom.net>; from bright@wintelcom.net on Fri, Nov 17, 2000 at 02:29:04PM -0800
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, Nov 17, 2000 at 02:29:04PM -0800, Alfred Perlstein wrote:
> * Jesper Skriver <jesper@skriver.dk> [001117 12:11] wrote:
> [snip]
> > 
> > This timeout could be avoided if the sending mail server reacted to the
> > 'ICMP administratively prohibited' they got from our router.
> [snip]
> > 
> > $ telnet nemo.dyndns.dk 25
> > Trying 193.89.247.125...
> > telnet: Unable to connect to remote host: No route to host
> > $ uname -a
> > Linux xyz.dk 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown
> > 
> > Wouldn't it be a idea to implement a similar behaviour in FreeBSD ?
> 
> Probably not, what if one started a stream of spoofed ICMP lying
> about the state of the route between the two machines?  I have
> the impression that the Linux box wouldn't be able to connect
> because of this behavior.

Correct, a attacker could in theory make sure we couldn't connect to 
a given remote box, but as I see it, it's mostly in teory.

We could only react to this if we had a TCP session where we was
waiting for a SYN/ACK from this specific host, this only leaves a very
narrow window for a attacker to abuse, as he had to know both
destination and time.

Do you agree ?

/Jesper

-- 
Jesper Skriver, jesper(at)skriver(dot)dk  -  CCIE #5456
Work:    Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: Geek            @ AS2109 (A much smaller network ;-)

One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message