Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Frederic Harster (f.harsterat_private)
Date: Mon Feb 03 2003 - 07:56:23 PST

Next message: Neil Dickey: "Speedera Ping, was "Packets from 255.255.255.255(80), etc.""

Previous message: Geert Kiers: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
In reply to: Hugo van der Kooij: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: James Kelly: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Reply: James Kelly: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Reply: Christian Vogel: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hugo van der Kooij wrote:

>>Let's say that a router is configured (with ACLs) to deny packets from
>>255.255.255.255 (that's why I noticed them). Then it sends back an "ICMP
>>unreachable", doesn't it?
>>These ICMP packets try to travel to... 255.255.255.255! Would'n it cause
>>a multiplying?
>>I know that a router/firewall may be configured to _not_ send "ICMP
>>unreachables" but default is to send them.
>>    
>>
>
>The default behaviour for filtering must be to DROP the packets. This is 
>standard in all known firewalls and should be considered common knowledge.
>
>Some call this stealth mode.
>  
>
Although I  _could_  agree as far as a firewalls are concerned, I don't 
when it comes to routers.
Blocking/droping any ICMP packet usually turns into a real nightmare 
when you've to perform troubleshooting on a wide network.

my 0,02... and common pratice.
Fred

>  
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Neil Dickey: "Speedera Ping, was "Packets from 255.255.255.255(80), etc.""
Previous message: Geert Kiers: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
In reply to: Hugo van der Kooij: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: James Kelly: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Reply: James Kelly: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Reply: Christian Vogel: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 09:28:07 PST