[plug] paranoia

Lindsay Allen allen at cleo.murdoch.edu.au
Mon Aug 24 11:42:08 WST 1998 

Hi Matt,

Sort of understood.  I'll keep thinking about all that.  As is usually the
case the reply raised more questions, such as why I cannot get
speak-freely or netmeeting to work over a masqueraded connection.  But I
don't expect you or anyone else to give me lessons via the list.  I might,
though, try to pick a few brains tonight! 

I tried a few times to set up fire-walling but usually managed to lock
myself out in the process.  I'm going to ask Chris if I can sit in on one
of his Unix courses, the way that Murdoch allows.

Many thanks for your detailed response.

Lindsay
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Lindsay Allen   <allen at cleo.murdoch.edu.au>  Perth, Western Australia
voice +61 8 9316 2486    32.0125S 115.8445E    vk6lj      Debian Linux
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

On Mon, 24 Aug 1998, Matt Kemner wrote:

> On Mon, 24 Aug 1998, Lindsay Allen wrote:
> 
> > Mon Aug 24 09:35:33 destination unreachable from cyberthrill.com [207.139.24.6]
> > Mon Aug 24 09:45:21 destination unreachable from linux.cbcfreo.wa.edu.au [192.168.1.1]
> 
> Don't worry about them too much.. Very much a part of the IP protocol is
> the ICMP protocol, which you are seeing at work here.. What iplogger is
> logging here, are ICMP type 3 messages, which tell an application that
> the port or host they are trying to connect to is unreachable.
> Eg. say you try to access the nameserver on dns.cyberthrill.com, but the
> host itself is down, the router nearest the nameserver will send you a
> "host unreachable" (ICMP type 3 code 1) message (resulting in a "no route
> to host" error messsage)
> 
> If the host itself is up, but the named itself is down, the host itself
> will send a "port unreachable" (type 3 code 3) for port 53. 
> 
> Note: a fundamental flaw of the IP protocol lies here - because it is so
> easy to spoof IP packets, all you have to do to break someone's irc
> connection (for example) is to send an unreachable message that is
> forged to come from the irc server - all you need to know is the source
> and destination ports. (so you send a whole bunch of them each with a
> different "source" port number until you succeed) - this type of Denial of
> Service is very popular these days, and will continue to be rampant until
> a) the IP protocol is improved (eg ipv6) or b) all ISPs block outgoing
> packets that do not match their class C's. (eg, no Networx customer can
> send a packet out that does not have a source address of 203.30.239.*,
> 203.56.13.* or 202.61.222.*)
> 
> Also, if you want to crash someone's mIRC connection, you do not even have
> to spoof the ICMP packet to come from the irc server, you only have to
> have the contents of the ICMP packet match the existing TCP connection.
> (and the program that's doing the 'rounds' at the moment does exactly
> that, which makes it very easy to track down who really sent the packet -
> I noticed that, for example, I was getting messages from a modem host at
> iiNet that told one of my modems that aussie.oz.org was unreachable... bit
> suss... :)
> 
> If I didn't know better I'd say that this was a fundamental flaw in the
> windows TCP/IP stack, but we all know that there are no flaws in windows,
> right? ;) (http://www.cantrip.org/nobugs.html)
> 
>  - Matt
> 
>

More information about the plug mailing list