<div dir="ltr"><br><br><div class="gmail_quote">On Wed, Oct 20, 2010 at 7:00 AM, Shachar Shemesh <span dir="ltr"><<a href="mailto:shachar@shemesh.biz">shachar@shemesh.biz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="direction:ltr" bgcolor="#ffffff" text="#000000"><div class="im">
<p style="direction:ltr">On 19/10/10 20:56, shimi wrote:<br>
</p>
<blockquote style="direction:ltr" type="cite"><div style="direction:ltr" dir="ltr">
<br><div style="direction:ltr" class="gmail_quote">
</div>Mitigating some of a Denial Of Service attack. If a machine replies to
ICMP Echo DoS attack, it doubles the amount of traffic it has to handle.
</div>
</blockquote></div>
Despite an extensivish knowledge in DoS attack types, I have no idea
what you are talking about. Are you referring to a traffic multiplying
attack (in which case it is a third party that gets the multiple
packets), which can be blocked by blocking the broadcast address, or is
this some form in which the machine itself has to handle more traffic
merely because "ping" is open?<div class="im"><br></div></div></blockquote><div><br>No, merely wasting upstream bandwidth, for every packet being received,
an (almost) equal packet is being sent back. Why waste upstream
bandwidth and help the attacker saturate your bandwidth / CPU resources?<br><br>(and yes, there is the more severe type of amplified attack, but I was talking on even more trivial stuff...)<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div style="direction: ltr;" bgcolor="#ffffff" text="#000000"><div class="im">
<blockquote style="direction:ltr" type="cite">
<div style="direction:ltr" dir="ltr">
<div style="direction:ltr" class="gmail_quote">
<div style="direction:ltr"> Since blocking ICMP Echo has no actual
effect on any other thing beside of checking if a machine is alive,
they believe the benefit of not "participating" in a DoS attack
outweights the lack of ability to ping-test the machine. (not to
mention that it may be filtering just *some* of the ICMP Echo packets,
and may be responding to ICMP Echo if sent from a limited set of IPs
(for example a monitoring machine and/or the sysadmin's IP pool...)<br>
</div>
</div>
</div>
</blockquote></div>
I think you are over estimating the amount of firewall resources
hosting is willing to allocate to your machine.<div class="im"><br></div></div></blockquote><div><br>I may be. This type of filtering is probably standard in every dedicated server hosting package offering I have received on the past 5+ years... it's usually called "shared firewall service". <br>
</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div style="direction: ltr;" bgcolor="#ffffff" text="#000000"><div class="im">
<blockquote style="direction:ltr" type="cite">
<div style="direction:ltr" dir="ltr">
<div style="direction:ltr" class="gmail_quote">
<div style="direction:ltr"> <br>
</div>
<div style="direction:ltr"><br>
The annoying ones: <br>
PMTU[1] breaks. If any router / medium in the middle cannot support the
client/server MTU (typically - 1500), and a packet with the DF[2] flag
is sent, it will be dropped "silently" and the sender wouldn't know,
and re-transmit the packet until the connection times out and dies.<br>
<br>
</div>
</div>
</div>
</blockquote></div>
I'm not sure "annoying" is the right word. This type of breakage is
called "PMTU black hole", and prevents ANY type of traffic from
arriving at the machine, under some circumstances. In fact, this
problem is so prevalent that, when installing ADSL, you are instructed
to squash the MSS, just so you can communicate with such broken setups.<div class="im"><br></div></div></blockquote><div><br>That's a POV. For me, anything I can solve without requiring "a favor" from the ISP (when was the last time an ISP did what you wanted?), is "annoying". Especially when the behavior is easy to detect... That's contrary to stuff that gets imposed on you that you can't do anything about[*]; For example: a QoS policy dedicating 99% of the ISP Intl's bandwidth to HTTP/S traffic, and the rest %1 for everything else, including SSH, rsync, CVS etc. (starting 6pm until 1am, forget on running TCP connections for non web traffic...). That's far beyond annoying :)<br>
<br>-- Shimi<br></div></div><br>[*] Yes, I know that you can use httptunnel to pipe SOCKS requests to a machine outside the country to escape such a QoS limitation. But that costs you more money (unless you have some generous friend abroad...), and you paid for "Internet", not just "HTTP service".<br>
</div>