Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: TTL, works with Cisco ACL's to :)
From: Lance Spitzner <lance () spitzner net>
Date: Thu, 9 Nov 2000 23:23:51 -0600 (CST)

On Thu, 9 Nov 2000, Alex Goldney wrote:

I know a lot of sites don't do good egress filtering, and I guess that is
the point that needs to be hammered home.....

Actually many sites do have egress filtering.  However, the filtering device
is filtering outbound traffic generated by the internal network.  What many
sites are NOT doing is egress filtering of traffic generated by the filtering
device itself.  The filtering device is trusted, so it is allowed to generate
and send any traffic it wants to.  That is why I belive the use of TTL within 
port scans can be effective against many filtering devices.

On Thu, 9 Nov 2000, Alex Goldney wrote:

OK, so you aren't blocking any ICMP packets with access-lists.  
That should avoid the problem, no?  Of course, it can be considered 
a bit unfriendly to block the lot.

PATH MTU discovery stuff should be allowed at least in general.  I guess
that opens up the possiblility for the same type of attack if the MTU for
one of your routers links is less than the MTU of the incoming internet
link.  This case should be pretty rare though.

Keep in mind, many Firewalls/Screening Routers do not block ICMP error
messages.  Those that do block ICMP error messages block them inbound from
the untrusted networks, such as the Internet, or block them inbound from
internal networks.  However, most rulebases/ACLs do NOT block ICMP error
messages generated by the filtering device itself.

Keep in mind, this is a generalization based on my experience.


Lance Spitzner

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]