On Wed, 8 Jun 2005, Alan DeKok wrote:
Dean Anderson <dean(_at_)av8(_dot_)com> wrote:
You have no basis for concluding that their recieving "ICMP port
unreachable" means that they actually tried connecting to you.
As I said, how about watching the packets go out of my box?
1) Having an outbound packet rate, as you describe, doesn't indicate that
they sent you SYN packets. It is possible that your machine is
compromised, and that it really is attacking them.
2) It is possible that you received SYN packeets that weren't from them.
Forged SYN packets are common type of attack.
3) Merely having an outbound ICMP packet rate doesn't mean that the
packets they got came from your system.
4) It is possible that their system is compromised.
All of these are more likely than your insistence that they are spammers
asking you not to send them ICMP packets.
With this in mind, lete look again at your claims: (from
www.striker.ottawa.on.ca)
**1. Their firewall is misconfigured. (Blocking ICMP's is wrong.)
Blocking __all__ ICMP is probably wrong. There is only one ICMP packet
that shouldn't be blocked, and there is currently an attack which makes it
reasonable to block even that turn. So blocking the ICMP port unreachable
packet type is not wrong. http://www.av8.net/ICMPTypes.txt
**2. They're trying to send me spam, and complaining when they can't.
This is just irrational.
**3. They don't understand how networks work, or how to set up their
machines.
Their machines are probably set up correctly. But if they aren't, you
haven't shown any reason that they aren't.
**4. Words cannot describe their incompetence.
The acts you attribute to them are entirely rational and show no
incompetence on _their_ part.
Competence is the ability to solve common problems in your field of work.
A common problem for an IT professional might have to solve is analyzing
an attack. What should a competent professional have done in Alan's
situation? Lets look at what should happen:
Sysadmin calls Alan, and says: "Your system is attacking me"
Alan should say: "What makes you think that?"
Sysadmin says: "I'm getting loads of ICMP messages from your IP."
Alan should say: "What's your IP? I'll take a look"
Sysadmin tells him IP.
Alan grabs packets to and from that IP
[now we have some options, depending on what Alan finds]
Option 1: Alan found packets to/from that IP
Option 1A: Alan found SYN Packets from their IP and ICMP packets to it
Alan says: "I'm seeing SYN packets from your IP. Do you see that?"
Option 1A1: Sysadmin sees it
Sysadmin says: "Yes. Hmm. That's weird"
Alan: "OK. Could you block SYNS to my IP until you fix it?"
Sysadmin: "Sure".
Option 1A2: Sysadmin doesn't see anything
Sysadmin says: "No SYN packets here."
Alan says: "Hmm. Somebody may be forging SYN packets from your IP.
I'll contact my ISP and see if we can trace it down. In the
meantime, I'll block ICMP going to your IP.
Sysadmin says: "Thanks for taking care of the problem"
Option 1B: Alan found ICMP but no SYN Packets
Alan says: "I'm just seeing ICMP packets to your IP. But that's
strange; I don't see any SYN packets. Hmm. I seem to have
a compromise on my box. I'll block ICMP to your IP until
I get it fixed."
Sysadmin says: "Thanks for taking care of the problem"
Option 2: Alan didn't find packets to or from that IP
Alan says: "I don't see anything to or from your IP. It seems that
our IP has been forged in the ICMP packet."
Sysadmin says: "Ok, thanks. I'll contact our upstreams to trace
the traffic. Thanks for you help."
So now we know what should have happened, lets postmotem what happened:
Alan said that no one should contact him because they are reciving ICMP
from his IP. Alan says on his page that anyone contacting him about this
is incompetent. Alan says they are spammers complaining about his ICMP.
Alan says he convinced some to send him _their_ logs. Their logs don't
prove Alan's claims.
Indeed, none of Alan's claims are supportable.
Alan didn't go through any of the steps listed above; He didn't document
them. To demonstrate his own due diligence, he would need to report what
he found.
So, it Alan's competence that's in question. Not the competence of the
people who called him to complain about the ICMP packets apparently coming
from his IP address.
And as already shown, his claims about blocking ICMP are also incorrect.
Alans failure to understand common practice reflects badly on competence
as an IT Professional.
Further, To prove your claim, __you__ would need logs indicating that they
actually tried connecting. Where are the SYNs from their server? But you
have no such specific logs, or don't claim you do in those cases.
I have the data, you don't. I'm sorry that this upsets you.
You don't make any claim that you gave them your logs. So I don't think
you did. Whether or not you actually have that data is irrelevant. You
didn't use it to make your case to them, and you can't make a rational
case without it. I don't need to see your data to conclude that your
argument is unsupported.
I'm not upset to not have your data. You just seem to be stretching the
assertion that nobody can make any conclusions without it. But that's just
wrong. Deductions can be made, given what you have revealed.
Spammers aren't calling you complaining that you should not to send them
ICMP unreachables. What lunacy
Exactly. I never claimed that.
You did, and you have been: Point 2 on your list:
2. They're trying to send me spam, and complaining when they can't
Further, you also keep asserting that spammers are routinely spamming you,
and you deny my assertion that you are being abused by people who seek to
annoy you.
My assertion (since 2002) has been that this is an attack. It is not
"spam". It is meant to annoy you.
At this point, I have to ask: Are you for real, Dean?
You are the one pursuing an irrational position well beyond the point of
making a credible claim. It is no longer credible to think that you belive
what you say.
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000