Postfix anti-antivirus (was Re: [linux-elitists] procmail recipe for mydoom?)

Phil Mayers
Tue Feb 10 18:07:22 PST 2004

On Wed, Feb 11, 2004 at 12:44:17PM +1100, Martin Pool wrote:
> I'm not sure, but I think silent absorption is the only sensible
> response to some attacks.  How many of you strictly comply with the
> way IP routing was originally meant to work, and how many have
> firewalls that just log&drop evil packets?

Good point, and very analogous here. Sending ICMP rejects in response to
e.g. a single packet UDP exploit like Slammer, or the one someone will
write for the ASN.1 bug, is a very silly thing to do indeed *in the
current climate*.

Having said that, the *reason* it's very silly for packets and not
necessarily so for SMTP streams is that packets are connectionless.
However, individual legs of SMTP are connectionless in effect. Hmm.
Interesting thought... I wonder...

The counter argument is good too - if more f***ing ISPs used the
facilities they had available on their routers (or cared more, and
bought better routers) then source spoofing would be impossible - the
information to prevent it is *right there*, in the routing table. I
despair at the number of times I've explained to certain router (well,
switch) vendors why *per vlan* rather than per-physical-port ACLs are a
MUST, and why a "ip verify unicast source reachable-via rx" command
should be a legal requirement on routers, like the FCC labels...

So, that's a very effective analogy. Because of the poor abilities and
lax attitudes of a percentage of network operators, ICMPs are no longer
sent where they should be. This increases timeouts and reduces the
reliability of the IP protocol in general, and in particular for the
otherwise well-behaved network operators.

This is a *brilliant* analogy in fact.

In SMTP, the s**t operators are anyone sourcing SMTP which has the
possibility of an invalid origin, and ICMP is SMTP-time 5xx. The
situation we have now is analogous to one of using spoofing to DDoS
someone with the ICMP replies. The correct solution isn't for all
OSes round the world to stop using ICMP. It's for the crappy network
operators to FIX THEIR NETWORK, and stop f***ing up the IP protocol.

If I had a firewall that could do what iptables does, i.e. only send a
reject to a given IP once/second for 5 seconds, then once a minute, then
once every 5; I would tell it to do that.

The analogy falls down here though - the reason many firewalls don't
generate ICMPs (if you've got a phat one, particularly) is the same as
many layer3 switches (ahem "sub-routers") don't - their architecture
does not lend itself to generating those ICMP packets. Were there a
market for it, people would make ones that did.

(In case anyone is curious, my job is 50% programmer/analyst work, 50%
IP engineer work, so this is turning out to be a great discussion)



| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |

More information about the linux-elitists mailing list