Yeah, that's called a darknet or something like that. A classic one is where you take a random sampling of your public IP space that you're not using, and set up a box ou there in the perimeter to log any traffic to it. All that traffic is essentially bad since the IPs aren't in use. Then you have some dynamic manner of updating the rules in your firewall rulebase or the ACLs on your routers or what have you to just drop traffic from whatever source for a period of time. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 1/1/2006 6:23 PM To: [email protected] Subject: RE: [ActiveDir] icmp's Yep, something else I have seen in smarter networking environments is a honeypot system where you trap all ICMP traffic bound for non-routable internal networks and then a script that shuts the ports down on the switches of the machines sending that traffic. Someone with an infected machine who all of a sudden can't get network connectivity is bound to yell for help at which point the boys with the stuffed pillow cases show up.... ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, January 01, 2006 5:11 PM To: [email protected] Subject: RE: [ActiveDir] icmp's The whole block ICMP thing is I think in many ways dating to the blaster and nachi outbreaks when routers were getting driven to 100% CPU as hundreds of machines were slamming ICMP and RPC traffic across them. Newer gear has the ability to rate limit ICMP traffic. All your admins need to do is rate limit ICMP to something like 512kb/sec and drop on exceed. Problem solved. In the event yuou have an outbreak because you don't do patch management, go in the router and set the drop limit to something like 64kb/sec or worst case put the ACL to shutdown ICMP all together. Either way your better off than no ICMP 24/7.... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 1/1/2006 3:17 PM To: [email protected] Subject: RE: [ActiveDir] icmp's I don't often find myself in the position of defending the Exchange folks but this isn't just an Exchange thing, the ICMP echo has been a "are you alive" test for a very long time. I understand why they do it, I have written several scripts and tools that do something similar. It can be considerably faster. When you are testing suitability or capability of a bunch of systems, sending an ICMP ping to see if the machine is live is considerably faster in many circumstances than sending higher level calls, both for machines that are live or dead. This is especially true if using netbios calls, in that case querying can cause a system to hang where a simple ICMP ping tells you right away if you should even bother. Blocking all ICMP in an internal network is generally silly in my opinion unless something is abusing it at the time. It is often a thoughtless reactive, "well we will certainly stop those viruses" knee jerk. Its like stripping all zip files in an email system because a virus is operating through zips. We don't a better way and we don't have the ability and/or time to think up a better way so lets get out the sledgehammer... Once you use ICMP you can go on to use higher level forms of testing. It is also a great way for diagnostician's to try and work out network issues... is ICMP ECHO getting through? No, well then we don't have to look at complicated upper level issues, we can focus on core basic network connectivity. One thing the Exchange folks did that I am not in agreement with is if a DC is a config DC and is operating poorly Exchange will really avoid switching for config functionality if the ping is still there. That isn't a stateless connection so I can understand the reluctance but it can be a serious pain at times. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, January 01, 2006 1:18 PM To: [email protected] Subject: RE: [ActiveDir] icmp's "Note Exchange doesn't take kindly to ICMP echo being disabled either. If Excha us nge can't ping a DC, DSACCESS does not see that DC unless you have specially configured it." Which, I always thought was a pretty funny way of doing things anyway. As you are well aware, Ping doesn't mean alive and healthy. I know of many people who have spent hours to days troubleshooting a problem just to find that the machine that they first suspected as being the problem pinged just fine. Sadly, it was dead from the neck up and port 389 and 3268 were non-responsive (along with all of the other really important stuff). Rick ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:54 AM To: [email protected] Subject: RE: [ActiveDir] icmp's I would agree, the old style logon scripts should be fine, UNLESS you have implemented your own speed sensing based on icmp in the logon script (many of us did that long before MS did it for those who didn't figure it out). Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. If you never want to fail outside of a segment then that is the way to do it, but most people would rather fail over to any DC versus say, nah, those are two far away even though none of my local DCs are available if things go pear shaped. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 01, 2006 9:07 AM To: [email protected] Subject: Re: [ActiveDir] icmp's I personally haven't heard it referred to as "legacy". I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the "legacy" method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine a lot of networks out there are configured with ICMP disabled like that. Al On 12/31/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond <[EMAIL PROTECTED] > wrote: presumably setting the scriptPath attribute on accounts... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 ________________________________ From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 12/30/2005 8:13 PM To: [email protected] Subject: Re: [ActiveDir] icmp's When you say legacy way, what does that mean exactly? On 12/30/05, Tom Kern < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond <[EMAIL PROTECTED] > wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. Thanks
<<winmail.dat>>
