[Mimedefang] FTC asks ISPs to crack down on zombie PCs
James Ebright
jebright at esisnet.com
Thu May 26 15:05:26 EDT 2005
On Thu, 26 May 2005 10:58:52 -0700, Kelsey Cummings wrote
> You must block port 25 in both directions to prevent 'triangular routing
> attacks' from working.
We are not running any type of mobile IP here nor IPv6 and while yes, this
type of attack is possible with IPv4, TCP provides some protection against
this attack:
If the target address belongs to a real node, it will respond with TCP
Reset, which prompts CN to close the connection.
If target is a non-existent address, the target network may send ICMP
Destination Unreachable messages. Not all networks send this latter kind of
error messages.
The attack is not specific to MIPv6:
Dynamic updates are made to Secure DNS, there is no requirement or
mechanism for verifying that the registered IP addresses are true.
ICMP Redirect messages enable a similar attack on the scale of a local
network. We expect there to be other protocols with the same type of
vulnerability.
And I know for sure both Cisco routers and Linux boxes send ICMP Dest.
Unreachable messages for non existant addresses.
I am not saying we are fool proof, but this attack seems unlikely enough to
succeed that is it would be unreasonable for us inconvenience to our customer
base by blocking port 25, not to mention we would probably detect it as a
potential DOS attack via our IDS fairly quickly anyway simply due to the
latency/traffic it would cause.
Jim
--
EsisNet.com Webmail Client
More information about the MIMEDefang
mailing list