Watcher page moved (and ObBug)

[mcn () EnGarde com (Mike Neuman)]

  Apparently a large number of people have complained about the Watcher
page, and so LANL has forced me to move it. You can find a link to the new
location from either of the pages listed in my sig, OR you can go directly 
to it at: 

http://129.186.203.202/watcher.html

(That space was graciously provided by Infostructure Inc.)

ObBug:
ICMP bombing is old, but still works. The problem is when a host receives
an ICMP host (or net) unreachable, it has no way of verifying whether or
not the packet came from a real gateway between it and the destination.

ICMP packets SHOULD, however, include the first 64 bytes of the datagram
which is referenced by the packet. In other words, the ICMP host unreachable
message in response to a TCP connection SHOULD contain the TCP ports AND 
sequence number of the connection which was unreachable. By using the ports
and sequence number, a verification of the authenticity could be performed
by the IP software. Unfortunately, most IP implementations (notably Sun's)
does no verification and immediately drops ANY connection between the two
hosts listed in the ICMP packet.

The fix is to not be sloppy. Even simply looking at the port numbers isn't
enough verification as it would only require maybe 2000 spoofed ICMP host
unreachable packets to shut down any connection from a machine to a known
service. Instead, the sequence number could be compared to the sequence
numbers sent and ACKd for the low end, and sequence numbers sent but NOT
ACKd for on the high end. A simple range comparison...

-Mike
--
Mike Neuman (mcn () EnGarde com) - EN GARDE SYSTEMS - Computer Security Consulting
http://www.c3.lanl.gov/~mcn   - http://www.cec.wustl.edu/~dmm2/egs/egs.html
===============================================================================
"Most of these should be 'void', but the people who defined the STREAMS
 data structures for S[ystem] 5 didn't understand data types." - Solaris source