From owner-freebsd-hackers Sat Nov 18 9:23:37 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 9183B37B4C5 for ; Sat, 18 Nov 2000 09:23:35 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eAIHNWN20716; Sat, 18 Nov 2000 09:23:32 -0800 (PST) Date: Sat, 18 Nov 2000 09:23:32 -0800 From: Alfred Perlstein To: Jesper Skriver Cc: hackers@FreeBSD.ORG Subject: Re: React to ICMP administratively prohibited ? Message-ID: <20001118092332.C18037@fw.wintelcom.net> References: <20001117211013.C9227@skriver.dk> <20001117142904.T18037@fw.wintelcom.net> <20001118155446.A81075@skriver.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001118155446.A81075@skriver.dk>; from jesper@skriver.dk on Sat, Nov 18, 2000 at 03:54:46PM +0100 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG * Jesper Skriver [001118 06:54] wrote: > On Fri, Nov 17, 2000 at 02:29:04PM -0800, Alfred Perlstein wrote: > > * Jesper Skriver [001117 12:11] wrote: > > [snip] > > > > > > This timeout could be avoided if the sending mail server reacted to the > > > 'ICMP administratively prohibited' they got from our router. > > [snip] > > > > > > $ telnet nemo.dyndns.dk 25 > > > Trying 193.89.247.125... > > > telnet: Unable to connect to remote host: No route to host > > > $ uname -a > > > Linux xyz.dk 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown > > > > > > Wouldn't it be a idea to implement a similar behaviour in FreeBSD ? > > > > Probably not, what if one started a stream of spoofed ICMP lying > > about the state of the route between the two machines? I have > > the impression that the Linux box wouldn't be able to connect > > because of this behavior. > > Correct, a attacker could in theory make sure we couldn't connect to > a given remote box, but as I see it, it's mostly in teory. > > We could only react to this if we had a TCP session where we was > waiting for a SYN/ACK from this specific host, this only leaves a very > narrow window for a attacker to abuse, as he had to know both > destination and time. > > Do you agree ? If I agreed I wouldn't have objected in the first place. :( -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message