Firewall Wizards mailing list archives
Re: An ethernet frame with two IP packets inside?
From: Robert Graham <robert_david_graham () yahoo com>
Date: Thu, 29 Oct 1998 11:26:29 -0800 (PST)
You could construct such a packet, but it would be meaningless. Put a sniffer on the wire and see why. Since Ethernet has a minimum payload size of 46 bytes, and the minimum IP packet is 20 bytes (well, minimum useful packet is 28 if you do an empty ping). Thus, any bytes after the end of your first IP packet will be treated as padding by all stacks. Now, stacks might make assumptions about the size of padding so you might be able to crash them just by appending a huge number of bytes (similarly, some products crash if they receive Ethernet frames beyond the 1.5k max size). The key point is that nobody will make the assumption that the bytes after the end of the first packet should be treated as anything other than padding, much less an IP header. Remember, we humans may know that there is a second IP header (the first byte being 0x45 is a dead giveaway for IP), but protocol stacks don't use AI. They just follow the rules: 0x0800 at offset 12 means IP comes next. The IP length gives the length of the IP packet. Anything else is padding/garbage and should be ignored. ---Keller <keller () wiesbaden netsurf de> wrote:
Hi gurus and beardy wizards, what happens if one ethernet frame contains two IP packets? I know, it *shouldn't* happen, but I could construct one, right? How will different tcpip stacks deal with the second IP packet? Could it slip through the filtering rules on some routers? Could it slip past static pattern matching firewalls (FW-1?) ? Any ideas or pointers are greatly appreciated.. Cheers! Stefan Keller p.s.: I'm aware that it would imply that the attacker sits directly in front of the router/firewall server/whatever.. Then again, he could sit on a (compromised) Linux web server with .. let's say SPAK.. downloaded to that machine.
_________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- Re: An ethernet frame with two IP packets inside? Ryan Russell (Oct 29)
- <Possible follow-ups>
- Re: An ethernet frame with two IP packets inside? Steven M. Bellovin (Oct 29)
- Re: An ethernet frame with two IP packets inside? Robert Graham (Oct 29)