Re: fragroute vs. snort: the tempest in a teacup

[Darren Reed <avalon () coombs anu edu au>]

In some mail from Dug Song, sie said:
> > Most firewalls these days (especially Linux and OpenBSD ones)
> > actually do reassembly inbound.
>
> this isn't quite true. most stateful inspection firewalls do "virtual
> reassembly" for IP fragments, and a few do basic window tracking for
> TCP connections, but will still allow most fragroute-style attacks
> through (e.g. duplicate overwriting TCP segments with older TCP
> timestamp options for PAWS elimination, short TTLs, etc.).

Well then IDS software needs to be smarter.  IMHO it makes little sense
for an IDS to be *behind* a firewall as it's going to miss out on lots
of useful data points.  Maybe this means telling your IDS software how
big your network is so it can make intelligent decisions about how far
a packet will go based on its TTL.

> > This was an interesting point discovered recently when it was
> > realized that the snort defragger was actually never getting touched
> > at all in some installations.
>
> IP fragmentation is rare to begin with [5], so i wouldn't chalk this
> up to firewall magic - especially when all major firewalls still pass
> fragments in their default configuration, and ONLY OpenBSD pf and
> Linux netfilter can actually be configured to reassemble. even fewer
> track TCP windows, options, etc...

IP Fragmentation is rare across the WAN, maybe, but anyone who's used
NFSv2 knows how common it is on the LAN.

There are good reasons NOT to do reassembly and I imagine those that do
not do so because they understand this better than the desire to simply
add yet another feature which some consider "cool".

Mind you, if you don't configure OpenBSD pf to reassemble packets then
you cannot make pf drop them, either.

Darren