fragroute vs. snort: the tempest in a teacup

[Dragos Ruiu <dr () dursec com>]

Just a quick follow-up to the fragroute alarmism (which I see has
prompted Mr. James Middleton at vnunet to write a news story 
"Evasion tool put's Snort's nose out of joint" :-). First, this
is not a snort-only issue, as I would wager other idses have as
many if not more evasion modes as well as sharing these with Snort...

But upon further analysis, this issue is a bit of a tempest in 
a teacup, as a vast majority of these attack obfuscations, particularly
the IP fragmentation ones are not a real threat in practice, because
they are not actually useable in real networks except on vulnerable
bastion hosts.  Most firewalls these days (especially Linux and OpenBSD 
ones) actually do reassembly inbound. This was an interesting point 
discovered recently when it was realized that the snort defragger was 
actually never getting touched at all in some installations.  So in 
reality these fragroute obfuscations are actually obfuscating things 
from the firewall rather than from internal snort sensors. Which is 
just fine, as snort will see the same traffic as a system being 
attacked... and therefore operate properly.

Theo DeRaadt coined the best answer for fragrouter in this procedure, a 
single word: scrub.

So in practice, the fragment level obfuscations are usually hidden/scrubbed 
from internal snort sensors by the firewalls... but that's ok because they are 
also hidden from most of the target systems too... ;) and therefore the 
attack is of not much value or cause for alarm as it will either be 
stripped of obfuscation or broken and not be a concern or significant 
threat.

cheers,
--dr

-- 
--dr                  pgpkey: http://dragos.com/dr-dursec.asc
      CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com