Bugtraq mailing list archives
Re: DO NOT USE THAT PATCH (Re: IP firewalling bugs)
From: fitz () wang com (Tom Fitzgerald)
Date: Wed, 23 Aug 1995 23:17:44 EDT
Seems to me that there's no reason to use the "new" data rather than the "old" data when a new fragment arrives that overlaps already-collected data. They're supposed to be the same; any difference indicates that at least one of them is definitely corrupted in a way that beat the checksum, or else you're under attack. In either case, dropping both the incoming packet and the collected fragments is probably the best response, seems to me.
Granted....
If you don't want to compare the bytes, then just make sure old data takes precedence over new.
No, this fails if the attacker sends the offset=1 frag first (bypassing the filter) and the offset=0 frag second (which the filter accepts, and the defragmenter throws away). The only safe scheme is always to use the data in the fragment that has the smaller fragment-offset, regardless of the order of arrival. Throwing away fragments with offset=1 is also a real good idea. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Billerica MA, USA fitz () wang com
Current thread:
- Re: DO NOT USE THAT PATCH (Re: IP firewalling bugs) der Mouse (Aug 23)
- Re: DO NOT USE THAT PATCH (Re: IP firewalling bugs) Tom Fitzgerald (Aug 23)
- -rw-rw-rw- 1 root 8025 Aug 24 04:10 Dr. Frederick B. Cohen (Aug 24)
- Security Mailing Lists Christopher Klaus (Dec 09)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache Vic Abell (Aug 24)
- .lsof_dev_cache Dave Sill (Aug 25)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 Darren Reed (Aug 25)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 Dave Roberts (Aug 29)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 Vic Abell (Aug 30)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache Scott Barman (Aug 25)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache Vic Abell (Aug 28)
- [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 [8LGM] Security Team (Aug 28)