From owner-freebsd-hackers Sat Nov 18 9: 5: 4 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id A8F3B37B479 for ; Sat, 18 Nov 2000 09:05:00 -0800 (PST) Received: (qmail 52998 invoked by uid 1000); 18 Nov 2000 17:04:55 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Nov 2000 17:04:55 -0000 Date: Sat, 18 Nov 2000 11:04:55 -0600 (CST) From: Mike Silbersack To: Jesper Skriver Cc: Alfred Perlstein , hackers@FreeBSD.ORG Subject: Re: React to ICMP administratively prohibited ? In-Reply-To: <20001118155446.A81075@skriver.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 18 Nov 2000, Jesper Skriver wrote: > On Fri, Nov 17, 2000 at 02:29:04PM -0800, Alfred Perlstein wrote: > > > > Probably not, what if one started a stream of spoofed ICMP lying > > about the state of the route between the two machines? I have > > the impression that the Linux box wouldn't be able to connect > > because of this behavior. > > Correct, a attacker could in theory make sure we couldn't connect to > a given remote box, but as I see it, it's mostly in teory. > > We could only react to this if we had a TCP session where we was > waiting for a SYN/ACK from this specific host, this only leaves a very > narrow window for a attacker to abuse, as he had to know both > destination and time. > > Do you agree ? > > /Jesper Well, if you honor such messages, don't you have to honor them in the middle of a connection too? Then you could cause a connection drop at any time. It would seem simpler to have the ISP in question use proper RST responses, or just stop filtering totally. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message