Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999_2

NFR Wizards Archive: Re: Firewall comparison in Data Communicat

Re: Firewall comparison in Data Communications

Ge' Weijers (geprogressive-systems.com)
Thu, 3 Jun 1999 12:32:57 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Robert Graham: "RE: Firewall comparison in Data Communications"
Previous message: dnewmancmp.com: "Re: Firewall comparison in Data Communications"
Next in thread: Kevin Steves: "Re: Firewall comparison in Data Communications"

On Thu, Jun 03, 1999 at 11:45:24AM -0400, dnewmancmp.com wrote:
>
> Most SPF products (including all those in the Data Comm) has specific anti-ping
> o' death routines. True, this usually isn't part of the SPF itself. But there
> are safeguards in place against common attacks like IP spoofing, SYN flooding,
> ping of death, and the like.
>
> In the case of the ping of death, I presume these routines drop ICMP packets
> with a length greater than 64 kbytes. I'm curious to hear--what variant of the
> ping of death would be allowed through?
>
> dn

I'm sure that most commercial firewalls now filter on fragments whose
last byte extends past the 64K limit. My example could have been
better, so let's try again:

Old SunOS systems handle 'Host unreachable' messages by dropping all
connections to the unreachable host. If you've got one of those behind
your firewall running legacy stuff you can mount a denial of service
attack on it by sending it 'host unreachable' messages that claim that
a machine it's talking to is offline. This SunOS behavior is _wrong_,
but the packets look perfectly valid. In my (limited) experience SPFs
don't inspect the payload of the ICMP packet to check it for
plausibility, for performance reasons. They rely on the host
'protected' by the firewall to do the right thing. All packet filters,
static or dynamic, do this to some extent.

The next big exploit may get through an SPF in a similar way. It's
unlikely that this exploit will enable anyone to gain access to the
machine, but it'll be another DoS.

Sorry for the confusion.

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220

Next message: Robert Graham: "RE: Firewall comparison in Data Communications"
Previous message: dnewmancmp.com: "Re: Firewall comparison in Data Communications"
Next in thread: Kevin Steves: "Re: Firewall comparison in Data Communications"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT