Date: Sat, 18 Nov 2000 09:23:32 -0800 From: Alfred Perlstein <bright@wintelcom.net> To: Jesper Skriver <jesper@skriver.dk> Cc: hackers@FreeBSD.ORG Subject: Re: React to ICMP administratively prohibited ? Message-ID: <20001118092332.C18037@fw.wintelcom.net> In-Reply-To: <20001118155446.A81075@skriver.dk>; from jesper@skriver.dk on Sat, Nov 18, 2000 at 03:54:46PM %2B0100 References: <20001117211013.C9227@skriver.dk> <20001117142904.T18037@fw.wintelcom.net> <20001118155446.A81075@skriver.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
* Jesper Skriver <jesper@skriver.dk> [001118 06:54] wrote: > On Fri, Nov 17, 2000 at 02:29:04PM -0800, Alfred Perlstein wrote: > > * Jesper Skriver <jesper@skriver.dk> [001117 12:11] wrote: > > [snip] > > > > > > This timeout could be avoided if the sending mail server reacted to the > > > 'ICMP administratively prohibited' they got from our router. > > [snip] > > > > > > $ telnet nemo.dyndns.dk 25 > > > Trying 193.89.247.125... > > > telnet: Unable to connect to remote host: No route to host > > > $ uname -a > > > Linux xyz.dk 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown > > > > > > Wouldn't it be a idea to implement a similar behaviour in FreeBSD ? > > > > Probably not, what if one started a stream of spoofed ICMP lying > > about the state of the route between the two machines? I have > > the impression that the Linux box wouldn't be able to connect > > because of this behavior. > > Correct, a attacker could in theory make sure we couldn't connect to > a given remote box, but as I see it, it's mostly in teory. > > We could only react to this if we had a TCP session where we was > waiting for a SYN/ACK from this specific host, this only leaves a very > narrow window for a attacker to abuse, as he had to know both > destination and time. > > Do you agree ? If I agreed I wouldn't have objected in the first place. :( -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001118092332.C18037>