Hello, welcome to the Friday, November 11th, 2016 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, today we got another branded vulnerability in wilder vulnerability itself isn't really all that big of a deal.

It's a nice opportunity to talk a little bit about

firewalls and how they're dealing with ICMP messages. The problem here is that ICMP

unreachable messages cause certain firewalls, most notably some of the smaller Cisco ASA firewalls to drop packets

relatively early so you don't need an awful lot of traffic.

What they measured is around 20 megabits per second will cause the firewall to start dropping

legitimate traffic, where the firewall itself should actually

be able to deal with something in the gigabit range.

So why do we have a problem with ICMP unreachable messages?

Well, those messages, first of all, you should typically not block.

Now you can get away with blocking some of them, but essentially a port unreachable,

a host unreachable tells your system that you try to connect to a system that doesn't exist

where the UDP board is not listening. So you're not going to try to resent the traffic,

which would be another option if you don't get the error message

back.

So you only get these error messages if the problem isn't going to fix itself and sending the

same packet again is not going to solve the problem.

Now in order to help you figure out what cost the problem, ICMP error messages as payload include the first

few bytes of the packet that cost the error. RFC 792 asks for the IP header plus 8 bytes

to be included in the payload but typically you see more you see more likely the entire TCP header being

...