Re: IP Spoofing

Mon, 10 Jul 2000 22:38:29 -0700 

On Tue, Jul 11, 2000 at 01:29:16PM +0800, Ronneil Camara wrote:
> > -----Original Message-----
> > From: Michael H. Warfield [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, July 11, 2000 1:01 PM
> > To: Ronneil Camara
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: IP Spoofing


> > > Will http traffic still flow even if we block icmp traffic 
> > at the firewall?

> >     Yes...

> > > Does http also use tcp?

> >     Also?  Http is a tcp protocol, so I guess so.  I don't know of
> > anything else it uses.

> I got it the other way around. How about UDP?

        No.

> > > Are there any disadvantage when I block icmp traffic on my
> > > public/external interface?

> >     Big time...  If you block all ICMP you will break a thing called
> > MTU discovery which can hose up things seemingly at random.  I tracked
> > several cases of people unable to browse my web server due to 
> > a hop which
> > failed to support MTU discovery and then something else broke when the
> > performance and fragmentation went in the dumper.

> > > How about advantage when we block icmp traffic on
> > > the public/external interface?

> >     Well...  Blocking ICMP ECHO and ICMP ECHO_REPLY cuts out a major
> > communication channel for DDoS zombies.  Does that count?  That's a
> > REALLY GOOD THING.  :-)

> What's the equal port number for ICMP ECHO & ICMP ECHO_REPLY?

        No-op.  Port number is not generally applicable to ICMP.  It's
a different protocol (same level as IP which also has no concept of port
number either).  Port numbers apply to TCP and UDP which are a layer above.
I say generally because ICMP PORT_UNREACHABLE does have the concept of
a port, but that's a payload issue.

> > > Thanks in advance. :-)

> >     To do things right, you really want ICMP UNREACHABLE 
> > WOULD_FRAGMENT
> > to pass through in order to make MTU discovery work.  Just 
> > about anything
> > else ICMP is a win to pitch in the dumper.
> >           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

> I didn't get your last paragraph. :-(

        In other words, discarding any other ICMP type and subtype is
advantageous (a win) to you.  Throw anything else away.  Sorry for being
obtuse in my language.  :-)

> Thanks.

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  [EMAIL PROTECTED]
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to