ICMP can be used to probe for timestamps and netmasks and attacks
are typicaly type 3 = DESTINATION UNREACHABLE unless they are just
going to flood you ala smurf or fat ping packets. Potentially
someone could be running a callback script on an internal box
that then establishes an outbound connection to the source address
of the calling party using icmp as the trigger mechanism. You
probably want to check with the owners of said external address
and maybe also look into blocking ICMP at the router. Type 11
doesn't really seem to pose any of the probing or attack risks though.
Hope that helps,
Cohen
At 03:24 PM 2/15/99 +0100, Joseph Favia Jr. wrote:
>Hello,
>
>I've received a report from one site that their firewall (FW-1) is
>receiving an ICMP packet every minute from the same external address. The
>packet is of type 11 code 0, which should correspond to:
>
> type 11 = TIME EXCEEDED (0 : TTL=0 during transmit , 1 : TTL=0 during
>reassembly)
>
>Since it is directed to the firewall, his stealth rule is generating an
>alarm every minute!
>I'm not too keen on ICMP, but I think that there should be no problem with
>packets of this type. Am I right? I would appreciate some other opinions.
>Could it be some sort of probe or attack ?
>
>Thanks for your help
>
>Joseph
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>
---
Cohen Liota
Information Security Specialist +1.416.815.3041 - voice
Secure Computing Corporation +1.416.815.3001 - fax
[EMAIL PROTECTED] http://www.securecomputing.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
