Replies

Steve Gibson says Black Ice is crap

I've used a few firewalls, hardware and software, and wish there were some way to selectively enable/disable ICMP/PING. To be sure, leaving it on when there's no need for it may not be a good thing (though not nearly as bad as Steve suggests) but there are times when it is genuinely useful for diagnosing networking problems.

BTW, on a related note, one idea which I've been thinking might be somewhat interesting (though probably not of quite enough use to be practical) would be a DOS-resistant TCP document server for a small collection (up to 256) of static documents.

The server would do nothing except in responce to a TCP packet on the configured port.

All packets received except SYN packets would produce return packets whose headers were identical to those received except for swapping source/destination IP and port addresses.

The response to a SYN packet would be a SYN+ACK packet whose ack number was equal to the received sequence number, plus one [the transmitted sequence number would be equal to the received one].

For packets containng 'n' bytes of data, the first byte of data would be examined and used to select a data file. The received sequence number (which would also be the transmitted sequence number) would be taken, modulo the size of the data file. The reply packet would contain 'n' bytes of data from the file, starting at the specified location unless the received sequence number was within an incomplete 'last copy' of the file, in which case it would send out a 'garbage indicator' pattern.

The data file should not contain any FF's within the data proper (code-escaping makes that a trivial requirement), but should start with an FF-preceded header which would state the file size. To receive data file 'n', simply telnet to the appropriate port and start sending character byte 'n'. Grab the received data, watching for an FF followed by a header. If you get a stream of FF's before the header, toss them out. Once the header has been grabbed, grab the appropriate number of bytes after it [size of file minus the number of non-FF bytes received before the header] and assemble the file.

In some ways this would be less efficient than some other TCP protocols, but would have two big benefits:

It would be entirely stateless; you could open up a million TCP connections to the server and it wouldn't bat an eye.
Outgoing packets would be the same size as incoming, limiting the effectiveness of flooding attacks (such attacks usually work by sending lots of small packets that will generate big replies; even if the attacker doesn't have enough bandwidth to flood the machine's ingoing link he can still flood the outgoing).

Anyone ever seen anything like that done? I would think that having some servers on the 'wide open' internet might be useful for documents against whose servers people might otherwise mount DOS attacks. Further, being entirely TCP-based, people behind firewalls would have no trouble accessing the server (as they might with a UDP-based one). Anyone like the idea?