Interesting article about punching holes in firewalls...
Cedric Blancher
blancher at cartel-securite.fr
Wed Dec 20 04:42:11 CET 2006
Le mardi 19 décembre 2006 à 19:53 +0100, Martijn Lievaart a écrit :
> ICMP filtering is not tricky. Just remember the rules.
> 1) NEVER, EVER, EVER filter out fragmentation needed.
;)
> 2) You may filter out ping, and the various destination unreachables,
> the consequences are yours.
Actually, Fragmentation Needed is one of various Destination Unreachable
message... Type 3, code 4.
> 3) Everything else can be filtered without consequences.
Time Exceeded ?
> If you mean, it is hard for a firewall to filter malicious ICMPs but not
> beneign ICMPs, the we agree.
That was my point.
> I have not heard of an fragmentation needed attack yet, but I can
> imagine it happening (analogous to the zero windowsize attack).
You can use Frag Needed to degrade performances. See section 7 of:
http://www.gont.com.ar/drafts/icmp-attacks/draft-ietf-tcpm-icmp-attacks-01.txt
You can also use Source Quench.
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
More information about the netfilter
mailing list