Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Reassembling IP packet Fragments w/o First Fragment

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 15 Dec 2003 11:23:34 -0800
  If you force packet reassembly to occur on a router/firewall,
you can be DoSed.  If you simply forward second/subsequent 
fragments, you just allow the DoS to be carried out against 
somebody behind you (as well as opening them up to whatever
security issues the failure to reassemble prevents you from
detecting...).
  If you drop second/subsequent fragments that arrive before the
packet header, you risk breaking any fragmented traffic.  This
is safe only if everyone you want to talk to doesn't fragment at
the IP level.

  IP fragmentation is evil.  End nodes should set the DF ("don't
fragment") flag; network devices should honour it.

David Gillett



-----Original Message-----
From: Mike Marcus [mailto:mmarcus () mbminfotech com]
Sent: December 13, 2003 11:43
To: security-basics () securityfocus com
Subject: Reassembling IP packet Fragments w/o First Fragment




Denial of Service Attacks and Firewalls without Stateful inspection.


From what I understand most firewalls do not let through IP 

fragments until the first IP fragment (with TCP Header) is 
received.  I am told that a DOS can be launched by someone 
sending IP packets with the same IP header and never sending 
the first packet.

I read that one way alleviate this is to let the second and 
subsequent IP packets through and inspect the first packet 
only.  I also read that some can fool the firewall into 
thinking the 1st packet is a subsequent packet.  I  am also 
told that some implementations of TCP/IP will reassemble the 
packets once they all pass through the firewall.  This allows 
someone to send to a PC that is behind the firewall.

First, is the information above accurate?  And if so: 
How to I know what services / implementations of TCP/IP have 
the vulnerability and how do I make adjustments on Servers / 
Workstations?  Also does Stateful inspection in the firewall 
relegate this to a non-issue?

Thanks,

Mike

--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: