On Sat, Aug 8, 2015 at 7:36 AM, C.v.St. <stucki-s...@t-online.de> wrote: > The more ports of a host are not firewalled, the more ports an attacker > can use to send faked packets to, to provoke (e.g.) misdirected 'ICMP > PORT UNREACHABLE' responses to a third party. So opening more ports > makes somebody unknown elsewhere more vulnerable and makes a 'local > server' machine more suspect. So some people strictly minimize the > number of visible ports to the outside to only a few well known ports.
I don't follow this argument about how "opening more ports makes somebody unknown elsewhere more vulnerable" -- am I missing something here? >From some quick measurements, Linux throttles its ICMP port unreachable messages on a total outgoing basis. It doesn't matter how many ports you have open -- 1,000 incoming datagrams to the same port will get the same number of IP port unreachables as 1 incoming datagram directed to each of 1,000 ports. It doesn't matter whether the IP datagrams are TCP or UDP. (ICMP port unreachables are sent in reply to both.) It doesn't even matter whether a socket is listening on that port or not. If something is listening, Linux will respond with a TCP SYNACK (if TCP) or a Mosh reply message (if Mosh and if the incoming datagram passed the integrity check against the shared secret key). If nothing is listening, Linux will respond with an ICMP port unreachable. A TCP SYNACK can be larger than an ICMP port unreachable. In all these cases, an incoming IP datagram earns a reply to the apparent IP source address -- but there is no significant amplification. So I don't follow the concern here. If an institution is really worried about ICMP, it should block ICMP. But in what respect is an ICMP port unreachable reply, when directed to a third party, more harmful than a TCP SYNACK or other reply? (Mosh in general fixes this problem of third-party attacks by not responding to anything unless it passes the integrity check.) -Keith _______________________________________________ mosh-devel mailing list mosh-devel@mit.edu http://mailman.mit.edu/mailman/listinfo/mosh-devel
