RE: Scan of TCP 552-554

From: Frank Knobbe (fknobbeat_private)
Date: Tue Jul 29 2003 - 16:15:52 PDT

Next message: Jon Zobrist: "new worm? or DDoS attack in progress"

Previous message: Jon Zobrist: "floods through our proxy"
In reply to: Nick Nauwelaerts: "RE: Scan of TCP 552-554"
Next in thread: Justin Pryzby: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2003-07-29 at 02:31, Nick Nauwelaerts wrote:
> [...] Discarding, not blocking, incoming traffic
> has as added feature that it breaks MTU path discovery. If your firewall is
> part of an upstream route you break other people's troubleshooting. If this
> was done by everyone you can forget about basic troubleshooting tools such
> as traceroute of ping.

Path MTU discovery only gets broken if you block (or not respond) to
certain ICMP packets. You should be able to silently drop TCP, UDP, and
most of ICMP (except for type 3 and 11 I believe). 

Doing traceroutes has already become a PITA with certain providers.
Luckily those that block ICMP traceroutes still permit TCP traceroutes.
Besides, most admins probably don't want you to be able to traceroute
through their firewall :)

I agree on the hiding part. Also, TCP Resets are especially useful for
anything that throws idents your way (i.e. mail servers, secondary name
servers).

Cheers,
Frank

application/pgp-signature attachment: This is a digitally signed message part

Next message: Jon Zobrist: "new worm? or DDoS attack in progress"
Previous message: Jon Zobrist: "floods through our proxy"
In reply to: Nick Nauwelaerts: "RE: Scan of TCP 552-554"
Next in thread: Justin Pryzby: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 07:59:23 PDT