From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Fri 18 Mar 2005 - 00:57:24 GMT
On Thu, Mar 17, 2005 at 10:42:17PM +0100, Ulrich Weber wrote:
> Herbert Poetzl wrote:
> >On Thu, Mar 17, 2005 at 03:49:53PM +0100, Ulrich Weber wrote:
> >>Well you could do as normal user all the things ICMP is good for.
> >>See http://www.faqs.org/docs/iptables/icmptypes.html for all types.
> >>This could be Source redirection. However that should be disabled on
> >>most systems for security reasons.
> >>Thats IMHO the only thing evil users good do. All other ICMP types make
> >>no sense, because the user is not
> >>able to sniff the packets and therefore can not "react" to incoming
> >>packets with custom ICMP replys.
> >what about various DoS and DDoS things like sending
> >host unreachable for the 'neighbour' vserver's ip ...
> Is it possible to send packets with other IPs than the of the origin
> Should/Can this not be disabled by the vserver patch generally ?
yes, it is disabled for ip protocols, but raw sockets
(per definition) do not use any protocol ... and icmp
packets to not use ip addresses ;)
> >>I would recommend to use this as default behavior.
> >>For high security you
> >>could disable this feature and for low
> >>security you could enable the CAP_NET_RAW mode.
> >carefully, CAP_NET_RAW gives you the ability to sniff
> >all kinds of traffic too ...
> Yeah thats exactly the problem wit my vserver provider.
> They enabled this to use ping on all vserver because
> more customers cared about ping than about sniffing the traffic...
well, just means that the customers knowledge about
those issues is small and the provider doesn't want
to bother with security ;)
> >>You also have to consider that normally users on vservers
> >>are trusted so its not really a multi-user environment.
> >hmm, they are? ;)
> Yeah, who wants this should rent a dedicated server ;)
> Vserver mailing list
Vserver mailing list