Re: Access to the Internic Blocked
On itself, LSRR is a godsend to hackers (i can think of about a dozen of very nasty attacks using general LSRR). The only useful application for it is traceroute. Why don't router vendors provide an option to turn it off for everything but ICMP ECHO? --vadim
Speaking of which, is anyone going to implement traceroute for UNIX which using icmp echo requests, instead of (semi-)random udp packets, as the ammo? This is one way which I think Microsoft out did the old UNIX implementations. The combination of the above and the below would give us the usefulness we want and the security we want. (I don't think the below would work with Van Jacobsen's traceroute 1.2) On Wed, 21 Aug 1996, Vadim Antonov wrote:
On itself, LSRR is a godsend to hackers (i can think of about a dozen of very nasty attacks using general LSRR). The only useful application for it is traceroute.
Why don't router vendors provide an option to turn it off for everything but ICMP ECHO?
--vadim
Speaking of which, is anyone going to implement traceroute for UNIX which using icmp echo requests, instead of (semi-)random udp packets, as the ammo? This is one way which I think Microsoft out did the old UNIX implementations.
They're not semi (or quasi) random udp packets. They're sequential packets. Secondly, current router vendors' decisions to prioritize ICMP echo request as dung-level packets means that traceroute's UDP packets actually get through at times when pings don't. Third, I'd be happy to implement it... but I'm not sure this would be a win. I can see the loss (see paragraph 2), but WHAT is the big win??? E p.s. The original question was based on Vadim's rhetorical query as to router vendors. Learn to differentiate between WISHFUL THINKING and routing reality. When router vendors pledge to not drop, and properly route lsrr icmp echo request/reply that code will be online within 24 hours.
The combination of the above and the below would give us the usefulness we want and the security we want. (I don't think the below would work with Van Jacobsen's traceroute 1.2)
On Wed, 21 Aug 1996, Vadim Antonov wrote:
On itself, LSRR is a godsend to hackers (i can think of about a dozen of very nasty attacks using general LSRR). The only useful application for it is traceroute.
Why don't router vendors provide an option to turn it off for everything but ICMP ECHO?
--vadim
In message <199608220449.VAA00216@quest.quake.net>, Vadim Antonov writes:
On itself, LSRR is a godsend to hackers (i can think of about a dozen of very nasty attacks using general LSRR). The only useful application for it is traceroute.
Why don't router vendors provide an option to turn it off for everything but ICMP ECHO?
--vadim
I've said many times that if security in your network is weak enough that you need to worry about LSRR packets you need to worry about security in your network. The minute someone unpacks a Sun workstation, configures an IP address and sticks it on the ethernet without installing the security patches and doing the administrative work needed to secure the machine, if you had a small hole in your security with LSRR, you now have a gaping hole in your security. If you are relying on blocking LSRR, your security is a weak as the most peerly administered machine on your network. A real bad thing if you are constantly hiring. Even so, if anywhere, where you want LSRR turned off is the border router(s) in front of the machines used for operations, network management, etc. Obviously you want your network to be secure even if LSRR was enabled for the reason I cited above. Curtis
participants (4)
-
Curtis Villamizar
-
Edward Henigin
-
Ehud Gavron
-
Vadim Antonov