Blocking/dropping from an undesirable ip isn't really going to effect your trouble-shooting, since you shouldn't be accepting traffic from there anyway. No news is good news from the ip is good news? Jim -----Original Message----- From: Frederic Harster [mailto:f.harsterat_private] Sent: Monday, February 03, 2003 10:56 AM To: Incidents Mailing List Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Hugo van der Kooij wrote: >>Let's say that a router is configured (with ACLs) to deny packets from >>255.255.255.255 (that's why I noticed them). Then it sends back an "ICMP >>unreachable", doesn't it? >>These ICMP packets try to travel to... 255.255.255.255! Would'n it cause >>a multiplying? >>I know that a router/firewall may be configured to _not_ send "ICMP >>unreachables" but default is to send them. >> >> > >The default behaviour for filtering must be to DROP the packets. This is >standard in all known firewalls and should be considered common knowledge. > >Some call this stealth mode. > > Although I _could_ agree as far as a firewalls are concerned, I don't when it comes to routers. Blocking/droping any ICMP packet usually turns into a real nightmare when you've to perform troubleshooting on a wide network. my 0,02... and common pratice. Fred > > ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 13:54:19 PST