Bugtraq mailing list archives
fragroute vs. snort: the tempest in a teacup
From: Dragos Ruiu <dr () dursec com>
Date: Wed, 17 Apr 2002 23:11:54 +0000
Just a quick follow-up to the fragroute alarmism (which I see has prompted Mr. James Middleton at vnunet to write a news story "Evasion tool put's Snort's nose out of joint" :-). First, this is not a snort-only issue, as I would wager other idses have as many if not more evasion modes as well as sharing these with Snort... But upon further analysis, this issue is a bit of a tempest in a teacup, as a vast majority of these attack obfuscations, particularly the IP fragmentation ones are not a real threat in practice, because they are not actually useable in real networks except on vulnerable bastion hosts. Most firewalls these days (especially Linux and OpenBSD ones) actually do reassembly inbound. This was an interesting point discovered recently when it was realized that the snort defragger was actually never getting touched at all in some installations. So in reality these fragroute obfuscations are actually obfuscating things from the firewall rather than from internal snort sensors. Which is just fine, as snort will see the same traffic as a system being attacked... and therefore operate properly. Theo DeRaadt coined the best answer for fragrouter in this procedure, a single word: scrub. So in practice, the fragment level obfuscations are usually hidden/scrubbed from internal snort sensors by the firewalls... but that's ok because they are also hidden from most of the target systems too... ;) and therefore the attack is of not much value or cause for alarm as it will either be stripped of obfuscation or broken and not be a concern or significant threat. cheers, --dr -- --dr pgpkey: http://dragos.com/dr-dursec.asc CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com
Current thread:
- fragroute vs. snort: the tempest in a teacup Dragos Ruiu (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 20)
- Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
- <Possible follow-ups>
- Re: fragroute vs. snort: the tempest in a teacup Steven M. Bellovin (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Brad Powell (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup jan (Apr 20)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)