Security Basics mailing list archives
RE: Reassembling IP packet Fragments w/o First Fragment
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 15 Dec 2003 11:23:34 -0800
If you force packet reassembly to occur on a router/firewall, you can be DoSed. If you simply forward second/subsequent fragments, you just allow the DoS to be carried out against somebody behind you (as well as opening them up to whatever security issues the failure to reassemble prevents you from detecting...). If you drop second/subsequent fragments that arrive before the packet header, you risk breaking any fragmented traffic. This is safe only if everyone you want to talk to doesn't fragment at the IP level. IP fragmentation is evil. End nodes should set the DF ("don't fragment") flag; network devices should honour it. David Gillett
-----Original Message----- From: Mike Marcus [mailto:mmarcus () mbminfotech com] Sent: December 13, 2003 11:43 To: security-basics () securityfocus com Subject: Reassembling IP packet Fragments w/o First Fragment Denial of Service Attacks and Firewalls without Stateful inspection.From what I understand most firewalls do not let through IPfragments until the first IP fragment (with TCP Header) is received. I am told that a DOS can be launched by someone sending IP packets with the same IP header and never sending the first packet. I read that one way alleviate this is to let the second and subsequent IP packets through and inspect the first packet only. I also read that some can fool the firewall into thinking the 1st packet is a subsequent packet. I am also told that some implementations of TCP/IP will reassemble the packets once they all pass through the firewall. This allows someone to send to a PC that is behind the firewall. First, is the information above accurate? And if so: How to I know what services / implementations of TCP/IP have the vulnerability and how do I make adjustments on Servers / Workstations? Also does Stateful inspection in the firewall relegate this to a non-issue? Thanks, Mike -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Reassembling IP packet Fragments w/o First Fragment Mike Marcus (Dec 15)
- RE: Reassembling IP packet Fragments w/o First Fragment David Gillett (Dec 15)
- Re: Reassembling IP packet Fragments w/o First Fragment Devilscrow Sr (Dec 15)