Bugtraq mailing list archives
Re: FW-1 IP Fragmentation Vulnerability
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 7 Jun 2000 01:54:41 +1000
In some mail from Lance Spitzner, sie said: [...]
Other firewalls may have the same problem and vulnerability.
[...] FWIW, IP Filter doesn't do any packet reconstruction for fragmentation nor output large amounts of messages to the console. It will let you block/log them to your hearts content and at the same time supports passing of fragments through which are seen to be part of kept state (limitatins apply) without needing to defragment things. Consequently there are the usual DoS issues with full tables, etc - there is only so much you can do. For the most part, the Internet is largely fragment free so blocking them is a real solution/alternative. Back when I learnt about networking, they explained that defragmenting of packets by routers (i.e. packet filtering firewalls) was bad for various reasons, the main one being buffer shortages leading to deadlock of passing packets. Seems there are more reasons not to do this :) I'm almost tempted to suggest people use IP Filter to protect FW-1 on Solaris boxes (i.e. block fragment packets) but I've no idea if that would actually work :-) I suspect "not yet" is the answer (the next major version of IP Filter would make that possible, I think :). Happy Hacking, Darren
Current thread:
- FW-1 IP Fragmentation Vulnerability Lance Spitzner (Jun 05)
- Re: FW-1 IP Fragmentation Vulnerability Chris Brenton (Jun 06)
- Re: FW-1 IP Fragmentation Vulnerability Thomas Willert (Jun 29)
- Re: FW-1 IP Fragmentation Vulnerability Darren Reed (Jun 06)
- Caldera Security Advisory CSSA-2000-015: suid root KDE applications Caldera Systems Security (Jun 06)
- Shiva Access Manager 5.0.0 Plaintext LDAP root password. Blaise St. Laurent (Jun 06)
- MDMA Advisory #6: EServ Logging Heap Overflow Vulnerability Drew (Jun 06)
- Re: FW-1 IP Fragmentation Vulnerability Chris Brenton (Jun 06)