Diary of a geek

March 2005
Mon Tue Wed Thu Fri Sat Sun
 
11
     

Andrew Pollock

Categories

Other people's blogs

Subscribe

RSS feed

Contact me

JavaScript required


Friday, 11 March 2005

Blosxom ate my flavours again

Real men don't backup, they just use Google's cache.

Argh. I just got bitten by #265021 again. Thank $DEITY for Google's cache. I managed to repair the damage with about half an hour of reverse engineering the HTML output with a cached copy and vimdiff.

I vented my frustration by raising the severity of the bug.

Meanwhile, rather than just bitching and moaning about it, I'll put blosxom on hold and put some thought into how to handle it better.

[22:54] [rant] [permalink]

Covert tunnelling over ICMP Destination Unreachable (Fragmentation Required) packets?

I had an interesting discussion this afternoon at work regarding the pros and cons of permitting ICMP messages into the classified gateway environment that we manage.

The necessity came up because something has been changed with the WAN link between the site where I work and the site in Sydney, and the MTU is now something more like 1300.

We're faced with the choice of:

  • enabling ICMP Destination Unreachable packets through the firewalls involved
  • lowering the MTU on the interfaces of all the servers in the environments affected
  • stripping the Don't Fragment bit on all the IP datagrams at some point before they traverse the WAN

If it were up to me, I'd be in favour of complying with RFC 1191 and being done with it, but one of my co-workers piped up about covert tunnelling over ICMP.

I have to admit that I hadn't heard about this until today. I had a read of the Phrack article in question, and it talks about doing it with ICMP Echo Request and Echo Reply packets, because these can readily have data added to the payload.

I'm interested in hearing about any exploitation of ICMP Destination Unreachable packets for such unintended purposes. I've raised this on the SAGE-AU mailing list, and the general consensus of responses so far is that blocking such ICMP messages is going to cause all sorts of breakage, and that if you're going to get paranoid about covert tunnelling over ICMP, you need to start worrying about IP over DNS and HTTPS proxying and a lot of physical security issues.

I agree completely. I'm all for Path MTU Discovery working as intended, unless someone can give me a good reason to the contrary. If I get time over the weekend, I'll have a bit of a play with Ethereal and something like sendip on my home LAN.

[01:27] [tech/security] [permalink]