ICMP

Discussion:

ICMP

(too old to reply)

Obfus Kataa

2004-09-27 10:25:49 UTC

I have a question about ICMP and what appears to be an Adelphia gateway. I
have a set of GEN/SYN filter rules in my firewall filters that reject ICMP
packets which are not from a source that has an existing connection. I
have had these in place for a while. But recently I just happened to notice
that the only rejection I seem to be having is from an ethernet card address
that my Motorola modem believes to be its discovered upstream gateway. The
ethernet address is 0030ab096df500d0

The packets are pretty regular, about every 5-15 minutes then three in
succession.

My questions are
is it "bad" that I drop these on the floor?
what offset in the packet contains the ethernet address of the sender?
what is the byte order of that information?
do gateways stay constant? [my logs for the times I have kept this
information show the same ethernet address]

I'd prefer to drop the packet which is what I am doing now, and I assume
that the gateway sees there is a modem active but sees the computer behind
it as inactive.

BTW. Baseline security just came on a few days ago, does this mean the
firmware upgrades are now in place? What value is baseline security to the
end user?

--
oK+++

Murray Watson

2004-09-27 18:54:51 UTC

Permalink

In adelphia.security-issues - article
<***@hcespyu.vi>, on Mon, 27 Sep 2004
06:25:49 -0400, Obfus Kataa says...

Post by Obfus Kataa
I have a question about ICMP and what appears to be an Adelphia gateway. I
have a set of GEN/SYN filter rules in my firewall filters that reject ICMP
packets which are not from a source that has an existing connection. I
have had these in place for a while. But recently I just happened to notice
that the only rejection I seem to be having is from an ethernet card address
that my Motorola modem believes to be its discovered upstream gateway. The
ethernet address is 0030ab096df500d0
The packets are pretty regular, about every 5-15 minutes then three in
succession.
My questions are
is it "bad" that I drop these on the floor?
what offset in the packet contains the ethernet address of the sender?
what is the byte order of that information?
do gateways stay constant? [my logs for the times I have kept this
information show the same ethernet address]
I'd prefer to drop the packet which is what I am doing now, and I assume
that the gateway sees there is a modem active but sees the computer behind
it as inactive.
BTW. Baseline security just came on a few days ago, does this mean the
firmware upgrades are now in place? What value is baseline security to the
end user?

Since you don't mention an IP, could they be ARP instead of ICMP?
Dropping ARPs would not be good.

All packets from the outside world will have your gateway'a MAC.

Dropping ICMP should have no serious consequenses. If you're not
blocking outbound ICMP you may be seeing responses to packets sent by
your host. Typically the method to block ICMP from the outside world
is to only block ICMP "requests", allowing responses to return.

There is an RFC which contains the packet structure.

What is "baseline security"?

Obfus Kataa

2004-09-28 20:12:58 UTC

Permalink

Post by Murray Watson

Post by Obfus Kataa
BTW. Baseline security just came on a few days ago, does this mean the
firmware upgrades are now in place? What value is baseline security to the
end user?

What is "baseline security"?

OOPs that should be Baseline Privacy

Baseline Security is a MicroSoft security initiative.

Baseline Privacy used to be off (Skipped) on my modem. Beginning a day or
so ago it showed up as "Done".

--
oK+++
Giving money and power to the government is like giving whiskey
and car keys to teenaged boys.
-P J O'Rourke

Murray Watson

2004-09-28 23:59:46 UTC

Permalink

In adelphia.security-issues - article
<***@lrk.mi>, on Tue, 28 Sep 2004
16:12:58 -0400, Obfus Kataa says...

Post by Obfus Kataa

Post by Murray Watson

Post by Obfus Kataa
BTW. Baseline security just came on a few days ago, does this mean the
firmware upgrades are now in place? What value is baseline security to the
end user?

"Baseline Privacy" in the context of a cable modem, is encryption of
the signal between the modem and the headend. You could compare the
potential security threat to being connected to a regular networking
hub. Any user also connected to that hub could enter "promiscuous"
mode and view all traffic on their segment but unlike my experience
with DSL networks in the past, neither of my cable modem experiences
revealed any other modem's traffic (other than ARPS).

Don't get a false sense of security. Beyond the headend, all remains
unencrypted. A secure HTML connection or something similar is still
necessary to provide encryption end to end between a user and an e-
commerce site".

Post by Obfus Kataa

Post by Murray Watson
What is "baseline security"?

OOPs that should be Baseline Privacy
Baseline Security is a MicroSoft security initiative.

That's kind of an oxymoron.

Post by Obfus Kataa
Baseline Privacy used to be off (Skipped) on my modem. Beginning a day or
so ago it showed up as "Done".