Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A new TCP/IP blind data injection technique?

From: Michael Gale <michael () bluesuperman com>
Date: Mon, 15 Dec 2003 10:15:23 -0700

Hello,

        Well first of all, one of the industry leading firewalls (
BorderWare Firewall Server ) does NOT pass fragmented packets.

Also netfilter / iptables has the following optio:

       [!]  -f, --fragment
              This means that the rule only refers to second and further
fragments of fragmented packets.  Since              there  is  no  way
to tell the source or destination ports of such a packet (or ICMP type),
such a              packet will not match any rules which specify them. 
When the "!" argument precedes the "-f" flag,              the rule will
only match head fragments, or unfragmented packets.

I have a rule at the beginning:
iptables -A INPUT -f -j DROP

So all my firewall boxes and any I have setup for other companies DROP
fragmented packets.

Michael.



On Sun, 14 Dec 2003 10:24:55 +0100 (CET)
Michal Zalewski <lcamtuf () ghettot org> wrote:


On Sat, 13 Dec 2003, Michael Gale wrote:


Well then .. I am happy that non of the firewalls I use accept or
pass fragments packets.


I would be willing to assume you are confused. Can you provide any
references that would confirm this observation?

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-12-14 10:24 --

   http://lcamtuf.coredump.cx/photo/current/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: