Security Basics mailing list archives
Re: Reassembling IP packet Fragments w/o First Fragment
From: Devilscrow Sr <devilscrow () gawab com>
Date: Tue, 16 Dec 2003 02:27:15 +0530
Hi Mike, My comments inline..... Mike Marcus wrote:
First, is the information above accurate? And if so:Well the information used to be accurate till some time back. Most stateful firewalls and ids(s) available today can perform fragment reassembly.How to I know what services / implementations of TCP/IP have the vulnerability and how do I make adjustments on Servers / Workstations? Also does Stateful inspection in the firewall relegate this to a non-issue?
Senario 1, the first frag is not sent where as all the other fragments have arrived and block up space on the rec(buff) while waiting for the first frag. This used to be a problem but most vendors have an easy answer to this, the problem can be rectified by reducing the fragment time wait parameter on your systems. Therefore reducing the time the packets will be retained in the static buffer, hence reducing the chance of having a dos condition.
Senario 2, does not exsist anymore... it has been rectified in most of the stateful inspection systems.
For more information you could read a very descriptive article available at www.securityfocus.com click on infocus and it should be there in the windows archives.
-dev --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Reassembling IP packet Fragments w/o First Fragment Mike Marcus (Dec 15)
- RE: Reassembling IP packet Fragments w/o First Fragment David Gillett (Dec 15)
- Re: Reassembling IP packet Fragments w/o First Fragment Devilscrow Sr (Dec 15)