> The danger in this problem arises from the fact that many perimeter defenses > (firewalls) permit ICMP through, which means that remote, anonymous > attackers Note that perimiter firewalls that don't let some ICMP through are broken (If anyone from certain large search/net companies beginning with A and Y are listening....). With return ICMP must fragment messages blocked the host isnt properly accessible (in many cases not accessible at all) over lower MTU paths like secure tunnels, groups of machines behind low mtu ppp links etc. A perimiter firewall can (and probably should) do stateful checking of the ICMPs perhaps with rate limiting too. Alan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:17 PDT