[LINK] DNS outage?

Stilgherrian stil at stilgherrian.com
Wed Jul 29 10:02:10 AEST 2009


On 29/07/2009, at 9:40 AM, Rick Welykochy wrote:
>> block such attempts to do reconnaissance like that, for security   
>> reasons, as someone said earlier.
>
> I suppose that host discovery is one of those concerns. Other linkers
> may be able to point to other security concerns and the reason that
> ICMP is being blocked. I certainly would like to know if this is
> over cautious. Sometimes I think this is the case.
>
> Have there been any exploits or attacks based on ICMP, for example?

That last bit is a question above my pay grade, but...

But ICMP can certainly be used to map and profile a network. You can,  
for example, find out what specific version of an operating system  
some box is running by sending a few well-crafted packets. Once you  
know that, you can then better plan your attack. Blocking most of ICMP  
means you close off that possibility for reconnaissance.

If you're talking REALLY secure, it's not about stopping just the  
known exploits, but reducing the potential for exploits through  
unknown vulnerabilities. Allow ONLY the packets necessary to provide  
the service and block everything else.

People who do infosec for a living may well shoot holes in what I just  
said. Please, clarify.

Stil



-- 
Stilgherrian http://stilgherrian.com/
Internet, IT and Media Consulting, Sydney, Australia
mobile +61 407 623 600
fax +61 2 9516 5630
Twitter: stilgherrian
Skype: stilgherrian
ABN 25 231 641 421




More information about the Link mailing list