Apparently a large number of people have complained about the Watcher page, and so LANL has forced me to move it. You can find a link to the new location from either of the pages listed in my sig, OR you can go directly to it at: http://129.186.203.202/watcher.htm (That space was graciously provided by Infostructure Inc.) ObBug: ICMP bombing is old, but still works. The problem is when a host receives an ICMP host (or net) unreachable, it has no way of verifying whether or not the packet came from a real gateway between it and the destination. ICMP packets SHOULD, however, include the first 64 bytes of the datagram which is referenced by the packet. In other words, the ICMP host unreachable message in response to a TCP connection SHOULD contain the TCP ports AND sequence number of the connection which was unreachable. By using the ports and sequence number, a verification of the authenticity could be performed by the IP software. Unfortunately, most IP implementations (notably Sun's) does no verification and immediately drops ANY connection between the two hosts listed in the ICMP packet. The fix is to not be sloppy. Even simply looking at the port numbers isn't enough verification as it would only require maybe 2000 spoofed ICMP host unreachable packets to shut down any connection from a machine to a known service. Instead, the sequence number could be compared to the sequence numbers sent and ACKd for the low end, and sequence numbers sent but NOT ACKd for on the high end. A simple range comparison... -Mike -- Mike Neuman (mcn@EnGarde.com) - EN GARDE SYSTEMS - Computer Security Consulting http://www.c3.lanl.gov/~mcn - http://www.cec.wustl.edu/~dmm2/egs/egs.htm =============================================================================== "Most of these should be 'void', but the people who defined the STREAMS data structures for S[ystem] 5 didn't understand data types." - Solaris source