On Fri, Nov 17, 2000 at 02:29:04PM -0800, Alfred Perlstein wrote:
> * Jesper Skriver <[EMAIL PROTECTED]> [001117 12:11] wrote:
> [snip]
> >
> > This timeout could be avoided if the sending mail server reacted to the
> > 'ICMP administratively prohibited' they got from our router.
> [snip]
> >
> > $ telnet nemo.dyndns.dk 25
> > Trying 193.89.247.125...
> > telnet: Unable to connect to remote host: No route to host
> > $ uname -a
> > Linux xyz.dk 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown
> >
> > Wouldn't it be a idea to implement a similar behaviour in FreeBSD ?
>
> Probably not, what if one started a stream of spoofed ICMP lying
> about the state of the route between the two machines? I have
> the impression that the Linux box wouldn't be able to connect
> because of this behavior.
Correct, a attacker could in theory make sure we couldn't connect to
a given remote box, but as I see it, it's mostly in teory.
We could only react to this if we had a TCP session where we was
waiting for a SYN/ACK from this specific host, this only leaves a very
narrow window for a attacker to abuse, as he had to know both
destination and time.
Do you agree ?
/Jesper
--
Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456
Work: Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: Geek @ AS2109 (A much smaller network ;-)
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
