Moe Trin wrote:

> In the Usenet newsgroup comp.os.linux.security, in article
> <Hk1Ee.102$CS2.16463@news.uswest.net>, Greg Metcalfe wrote:
>
>>What you're trying to avoid is called a Path MTU Discovery Black Hole. You
>>can find out quite a bit about it with a quick google. I know there was a
>>good paper on it from a Usenix LISA conference a couple or three years
>>ago.
>
> 1191 Path MTU discovery. J.C. Mogul, S.E. Deering. Nov-01-1990.
> (Format: TXT=47936 bytes) (Obsoletes RFC1063) (Status: DRAFT
> STANDARD)
>
> 1435 IESG Advice from Experience with Path MTU Discovery. S. Knowles.
> March 1993. (Format: TXT=2708 bytes) (Status: INFORMATIONAL)
>
> 2923 TCP Problems with Path MTU Discovery. K. Lahey. September 2000.
> (Format: TXT=30976 bytes) (Status: INFORMATIONAL)
>
>>Basically, you should be allow ICMP type 3 code 4. These packets are safe.
>
> You may want to look at the Bugtraq mailing list for the past couple of
> days. There is "a discussion" of a denial of service attack relating to
> this. If you don't want to subscribe, grab a list of news groups from
> your news server and look for the word bugtraq - there are several groups
> that mirror the lists, such as mailing.unix.bugtraq or muc.lists.bugtraq.
>
>>Pretty much nothing else in ICMP is.
>
> I don't know if I'd go quite that far.
>
> Old guy
Thanks for the bugtraq references. I haven't been by there in a few days. A
couple of ICMP references from SANS (first two are the ones I was thinking
of a couple of days ago):

The LISA paper
http://www.usenix.org/events/lisa02/...nderberg_html/

Descriptions of many ICMP attacks, by type:code
http://www.giac.org/practical/gsec/L..._Eden_GSEC.pdf

Another good reference to ICMP to Bad Things that can be done via ICMP. I
would argue that some of the items here can useful, though. The old
argument of any tool may be used for god or ill.
http://www.sans.org/resources/idfaq/icmp_misuse.php