RE: [FW1] RE: icmp-type8 icmp code 0

Fri, 23 Jun 2000 06:02:51 -0700 


This really pretty simple, the guy is sending a ping or echo request to your
broadcast address (255).  The broadcast address is picked up and answered by
every machine on that network that sees it.  The broadcast address is
typically used for things like DHCP where the actual destination is unknown.
What he hopes will happen is that all active machines will answer and he can
get a map of your network by sending out one packet.  There is also a type
of DoS attack that uses this same method except the source address is
spoofed and is actually the address of the person being attacked.  The
attacker simply sends a ping to the broadcast of a couple of class B
networks and the victim receives 1000s of response packets, flooding his
network.  I have seen these things addressed to 255.255.255.255 which,
unless I am seriously mistaken, would address the whole internet.

This is one of the best arguments I could possibly make for NOT letting
pings into your network.

Jim Edwards

-----Original Message-----
From: Joerg Major [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 23, 2000 7:41 AM
To: Majordomo fw-1-mailinglist
Subject: [FW1] RE: icmp-type8 icmp code 0



Hi Zinc,

that�s typically a ping. The destination address is a bit confusing
because it is a broadcast address not a host IP address. May be there is a
misconfigured router or something like this. It should be dropped anyway. 
icmp-type8 icmp code 0 means "echo reply"
Have a look to 
http://www.networksorcery.com/enp/protocol/icmp.htm

Hope this helps.

---Joerg---


> Hi Checkpoint Gurus!
> 
> I have a log in my firewall originally from:
> 
> Source: srv1a.pal.va.es
> destination: x.w.y.255
> proto. : icmp
> rule : 17 (any any drop)
> s.port : none
> Description: icmp-type8 icmp code 0
> 
> I had already check this out below, but I still don't really quite 
> understand what is this guy try to do.
> 
> ICMP TYPE NUMBERS
> 
> The Internet Control Message Protocol (ICMP) has many messages that
> are identified by a "type" field.
> 
> 8       Echo                                     [RFC792]
> 
>   8     Echo                                     [RFC792]
> 
>         Codes
>             0  No Code
> 
> 
> Please help me.
> 
> Thank you.
> 
> zinc
>


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to