avalonCOOMBS.ANU.EDU.AU

• Next message: Philipp Buehler: "Re: HP Security vulnerability in the man command"
• Previous message: Michal Zalewski: "innd 2.2.2 remote buffer overflow"
• Next in thread: Chris Brenton: "Re: FW-1 IP Fragmentation Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In some mail from Lance Spitzner, sie said:
[...]
> Other firewalls may have the same problem and vulnerability.
[...]

FWIW, IP Filter doesn't do any packet reconstruction for fragmentation
nor output large amounts of messages to the console. It will let you
block/log them to your hearts content and at the same time supports
passing of fragments through which are seen to be part of kept state
(limitatins apply) without needing to defragment things. Consequently
there are the usual DoS issues with full tables, etc - there is only
so much you can do. For the most part, the Internet is largely fragment
free so blocking them is a real solution/alternative.

Back when I learnt about networking, they explained that defragmenting
of packets by routers (i.e. packet filtering firewalls) was bad for
various reasons, the main one being buffer shortages leading to deadlock
of passing packets. Seems there are more reasons not to do this :)

I'm almost tempted to suggest people use IP Filter to protect FW-1 on
Solaris boxes (i.e. block fragment packets) but I've no idea if that
would actually work :-) I suspect "not yet" is the answer (the next
major version of IP Filter would make that possible, I think :).

Happy Hacking,
Darren

• Next message: Philipp Buehler: "Re: HP Security vulnerability in the man command"
• Previous message: Michal Zalewski: "innd 2.2.2 remote buffer overflow"
• Next in thread: Chris Brenton: "Re: FW-1 IP Fragmentation Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]