Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Removing ping/icmp from a network

from [Michael Painter] Network Security [Permanent Link]
Subject: Re: Removing ping/icmp from a network
Date: Thu, 27 Mar 2008 19:02:23 -1000
----- Original Message ----- From: "Jason Thompson" <securitux@gmail.com>
To: <security-basics@securityfocus.com>
Sent: Wednesday, March 26, 2008 4:55 AM
Subject: Re: Removing ping/icmp from a network

[snip]

I don't see any ICMP messages that are a MUST for network operation.<< 


From:
http://en.wikipedia.org/wiki/PMTU

"Many "security" devices incorrectly block all ICMP messages, including the errors that are necessary for PMTUD to work. This can result in connections that complete the TCP three-way handshake correctly, but then hang when data is transferred. This state is referred to as a "black hole connection".

Some implementations of PMTUD now try to work around this by inferring that large payload packets have been dropped due to MTU rather than because of link congestion. However, in order for TCP to operate most efficiently, ICMP unreachables (type 3) should be permitted."


http://www.netheaven.com/pmtu.html

"Newer servers try to optimize their transmissions by discovering the path MTU and sending packets of the maximum size when there's enough data to fill them. The procedure for doing this was standardized and published as RFC 1191 in 1990, but it did not become widely deployed until years later. By mid 2002, 80% to 90% of computers on the internet used path MTU discovery.

The basic procedure is simple - send the largest packet you can, and if it won't fit through some link get back a notification saying what size will fit. The notifications arrive as ICMP (Internet Control Message Protocol) packets known as "fragmentation needed" ICMPs (ICMP type 3, subtype 4). The notifications are requested by setting the "do not fragment" (DF) bit in packets that are sent out."

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Looking For Security Metrics, Charles H. Leggett
Next by Date:  encryption software for pendrive, Lovena J Reddi
Previous by Thread:  RE: Removing ping/icmp from a network, Joachim Thuau
Next by Thread:  RE: Removing ping/icmp from a network, Edward Ling
Indexes:  [Date] [Thread] [Top] [All Lists]