Date: Sat, 18 Nov 2000 15:54:46 +0100 From: Jesper Skriver <jesper@skriver.dk> To: Alfred Perlstein <bright@wintelcom.net> Cc: hackers@FreeBSD.ORG Subject: Re: React to ICMP administratively prohibited ? Message-ID: <20001118155446.A81075@skriver.dk> In-Reply-To: <20001117142904.T18037@fw.wintelcom.net>; from bright@wintelcom.net on Fri, Nov 17, 2000 at 02:29:04PM -0800 References: <20001117211013.C9227@skriver.dk> <20001117142904.T18037@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 17, 2000 at 02:29:04PM -0800, Alfred Perlstein wrote: > * Jesper Skriver <jesper@skriver.dk> [001117 12:11] wrote: > [snip] > > > > This timeout could be avoided if the sending mail server reacted to the > > 'ICMP administratively prohibited' they got from our router. > [snip] > > > > $ telnet nemo.dyndns.dk 25 > > Trying 193.89.247.125... > > telnet: Unable to connect to remote host: No route to host > > $ uname -a > > Linux xyz.dk 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown > > > > Wouldn't it be a idea to implement a similar behaviour in FreeBSD ? > > Probably not, what if one started a stream of spoofed ICMP lying > about the state of the route between the two machines? I have > the impression that the Linux box wouldn't be able to connect > because of this behavior. Correct, a attacker could in theory make sure we couldn't connect to a given remote box, but as I see it, it's mostly in teory. We could only react to this if we had a TCP session where we was waiting for a SYN/ACK from this specific host, this only leaves a very narrow window for a attacker to abuse, as he had to know both destination and time. Do you agree ? /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001118155446.A81075>