| Rich Freeman on 4 Feb 2012 04:04:11 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Quick& dirty IP blocking |
On Fri, Feb 3, 2012 at 4:22 PM, <bergman@merctech.com> wrote: > Right, like the ping-of-death[1] (despite the name, it has nothing to do with > ICMP). > It should probably be noted that none of the stuff in this thread can completely protect you from something like the ping-of-death. That was a kernel-level vulnerability, and even with blocking at an INPUT route the packet is still being processed by the kernel. Now, dropping a malicious packet like a hot potato as early in the process as possible obviously reduces the vulnerability footprint of your system compared to delivering it all the way through the kernel and into an application. Still, if the kernel contains a network stack bug somewhere before the packet actually gets dropped it would be vulnerable. A hardware firewall can help since it runs a less-complex OS which is likely to be better audited. However, even hardware firewalls can in theory contain vulnerabilities, and perhaps those vulnerabilities could be used to traverse the firewall. As we learned with Stuxnet even an airgap and sneakernet doesn't provide perfect security. Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug