The RFC's also state that you don't send ICMP messages in responce to other ICMP messages (at least as far as error messages go, you don't send a host unreachable message in response to an echo packet, though you would send a echo reply). Tom Arseneault Security Engineer Counterpane Internet Security. "All humans are born Right-Handed...but the great ones overcome it." -----Original Message----- From: Tomasz Papszun [mailto:tomek-incidat_private] Sent: Friday, January 31, 2003 12:11 PM To: Peter Triller Cc: incidentsat_private Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) <===SNIP===> These ICMP packets try to travel to... 255.255.255.255! Would'n it cause a multiplying? I know that a router/firewall may be configured to _not_ send "ICMP unreachables" but default is to send them. BTW, I seem to remember that _not_ sending "ICMP unreachables" is somehow against RFC... Of course security reasons for not sending them may be important (e.g. for hiding some network devices) but _formally_... it's a little not good :-) . <===SNIP===> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 10:53:13 PST