ICMP Packets.

tqbf@pobox.com tqbf@pobox.com
Sat, 6 Jun 1998 03:25:48 -0500 (CDT)

> You could consider adding "source quench" ICMP messages to the "let
> through" list.

Why? Source quench is deprecated (generating even more traffic in
diagnostic messages as a result of congestion isn't the best design), and
some operating systems may misbehave in reacting to them.

> "Time exceeded" is needed for traceroute (and in an ever growing
> internet, you may need to be aware of boxes with low default ttl's).

There are only two different methods I'm aware of to map remote network
topologies (record-route and TTL modulation). Network topology is
extremely valuable information for an attacker. Since blocking TTL-
exceeded messages is an effective way to prevent this information from
leaking, filtering it seems to make much more sense to me than leaving it
open for the sake of it's limited diagnostic value.

This is as opposed to filtering, say, ECHO-REQUEST messages --- if you
think this is preventing anyone from finding live machines on your
network, the false sense of security you're giving yourself by filtering
these messages is much more damaging than the information you leak by not
doing so.

Thomas H. Ptacek	  The Company Formerly Known As Secure Networks, Inc.
http://www.pobox.com/~tqbf	 "If you're so special, why aren't you dead?"