From owner-freebsd-net Sun Sep 17 9:54: 2 2000 Delivered-To: freebsd-net@freebsd.org Received: from rmx452-mta.mail.com (rmx452-mta.mail.com [165.251.48.46]) by hub.freebsd.org (Postfix) with ESMTP id 5F1DF37B424 for ; Sun, 17 Sep 2000 09:53:59 -0700 (PDT) Received: from web624-wrb.mail.com (web624-wrb.mail.com [165.251.33.64]) by rmx452-mta.mail.com (8.9.3/8.9.3) with SMTP id MAA20566; Sun, 17 Sep 2000 12:53:58 -0400 (EDT) Message-ID: <382805774.969209639079.JavaMail.root@web624-wrb.mail.com> Date: Sun, 17 Sep 2000 12:53:58 -0400 (EDT) From: Chris C To: Emmanuel Gravel , freebsd-net@FreeBSD.ORG Subject: RE: Strange TTL Exceeded messages Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: mail.com X-Originating-IP: 165.121.17.66 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------Original Message------ From: Emmanuel Gravel To: freebsd-net@FreeBSD.ORG Sent: September 10, 2000 5:07:13 PM GMT Subject: Strange TTL Exceeded messages According to "Hackers Exposed: Network Security Secrets and Solutions" by Stuart McClure, Joel Scambray and George Kurtz page 326 "Firewalk (http://www.packetfactory.net/firewalk/) is a nifty tool that, like a port scanner, will discover ports open behind a firewall..." "Firewalk works by constructing packets with an IP TTL calculated to expire one hop past the firewall. The theory is that if the packet is allowed by the firewall, it will be allowed to pass and will expire as expected, eliciting an "ICMP TTL expired in transit" message. On the other hand, if the packet is blocked by the firewall's ACL, it will be dropped, and either no response will be sent, or an ICMP type 13 admin prohibited filter packet will be sent" Prevention: block ICMP TTL Expired packets at external interface level You're under attack, this book i quoted is a really good way to glean a lot of information and preventative methods for system admins, and i garuantee that hackers are reading it, why shouldn't you? cc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message