Guys, Generally I take the view that no ICMP should be allowed past the
border router. It may not be seen as a serious vulnerability, but being
able to map a target network gives an attacker a serious advantage.
This situation is really quite ridiculous though. Surely the ISP should
be monitoring the mail servers attempts to pause and resend mail if
connections fail, instead of asking its customers to compromise what
could quite reasonably be thought of as their security policy.
If you allow ICMP through the firewall to protected hosts could this
allowed data flow be used to compromise the security of the firewall.
i.e. pings and arp requests.
Bye.
> ----------
> From: patrick kerry
> Sent: 08 June 2001 06:52
> To: Zachary Uram
> Cc: Barry George; [EMAIL PROTECTED]
> Subject: Re: ICMP packets and Firebox II
>
> A DOS attack is based on making more requests than the
> devices recieving the requests can handle. A true
> attack is launched from many locations at the same
> time and can cripple nearly any network device that is
> invloved on the recieving end. When traffic is
> disallowed by the firewall, the firewall still has to
> determine that it is not allowed (whether by default
> as you say or not) so enough of this rejected traffic
> can still bring you down. Also,typically a DOS attack
> is launched against Web servers in a DMZ that must
> allow HTTP(80) to function. The chances of someone
> launching a DOS attack on just any old firewall or
> webserver is slim to none, what fun would that be.
> Everybody wants to bring down the big guys.
>
> Checkpoint, the leading firewall in the industry has
> attempted to develop their software (SYNDEFENDER) to
> stop DOS attacks and in real world tests it failed
> miserably.
>
> remember syn syn/ack ack
>
>
>
> --- Zachary Uram <[EMAIL PROTECTED]> wrote:
> > so then firewall totally helpless to DoS attack?
> > that sounds really bad
> > there must be some way around this
> > such as all packets are encrypted to u and are
> > ignored by default
> >
> > On Thu, 7 Jun 2001, patrick kerry wrote:
> >
> > > There is no mechanism to stop a DOS attack on the
> > fire
> > > box. Actually on most firewalls a true DOS attack
> > is
> > > impossible to stop. Have your Firewall admin
> > allow
> > > the ICMP packets inbound from only that mail
> > server
> > > (host). I doubt if your ISP will launch a DOS
> > attack
> > > against you, even if they did you would be
> > helpless
> > > against it.
> > > --- Barry George <[EMAIL PROTECTED]> wrote:
> > > > Hi All,
> > > >
> > > > We have a Firebox II setup stopping most of what
> > we
> > > > don't want.
> > > > Everything has been running nicely, then our
> > city
> > > > run ISP installed a
> > > > new mail server. We found that mail from its
> > domain
> > > > was being slowed
> > > > down or blocked. On inspection to turns out that
> > our
> > > > firewall was being
> > > > hit constantly my there mail server destined for
> > our
> > > > mail server. Seems
> > > > they are sending ICMP packets for PMTU
> > discovery, so
> > > > the Firebox sees
> > > > these ICMP packets as a possible DoS attack and
> > > > locks out the
> > > > domain.Seems the frequency has increased to
> > several
> > > > packets per second
> > > > at worst.
> > > > The ISP says they are just following standard
> > > > RFC1191 protocols, but
> > > > something has to have changed as we haven't had
> > this
> > > > problem before.
> > > >
> > > > If we let these through to our mail server are
> > we
> > > > opening ourselves up
> > > > to attack? Sorry I don't directly configure the
> > > > Firebox myself so I'm
> > > > not sure what config. capabilities it has. I'd
> > > > appreciate any discussion
> > > > on this.
> > > >
> > > > Barry
> > > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Get personalized email addresses from Yahoo! Mail
> > - only $35
> > > a year! http://personal.mail.yahoo.com/
> > > -
> > > [To unsubscribe, send mail to
> > [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the
> > message.]
> > >
> >
> >
> > [EMAIL PROTECTED]
> > "Blessed are those who have not seen and yet have
> > faith." - John 20:29
> >
> > -
> > [To unsubscribe, send mail to
> > [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail - only $35
> a year! http://personal.mail.yahoo.com/
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
