Rich Freeman on 4 Feb 2012 04:04:11 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Quick& dirty IP blocking

On Fri, Feb 3, 2012 at 4:22 PM,  <> wrote:
> Right, like the ping-of-death[1] (despite the name, it has nothing to do with
> ICMP).

It should probably be noted that none of the stuff in this thread can
completely protect you from something like the ping-of-death.  That
was a kernel-level vulnerability, and even with blocking at an INPUT
route the packet is still being processed by the kernel.

Now, dropping a malicious packet like a hot potato as early in the
process as possible obviously reduces the vulnerability footprint of
your system compared to delivering it all the way through the kernel
and into an application.  Still, if the kernel contains a network
stack bug somewhere before the packet actually gets dropped it would
be vulnerable.

A hardware firewall can help since it runs a less-complex OS which is
likely to be better audited.  However, even hardware firewalls can in
theory contain vulnerabilities, and perhaps those vulnerabilities
could be used to traverse the firewall.

As we learned with Stuxnet even an airgap and sneakernet doesn't
provide perfect security.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --