Re: Firewall comparison in Data Communications

[dnewman () cmp com]

Most SPF products (including all those in the Data Comm) has specific anti-ping
o' death routines. True, this usually isn't part of the SPF itself. But there
are safeguards in place against common attacks like IP spoofing, SYN flooding,
ping of death, and the like.

In the case of the ping of death, I presume these routines drop ICMP packets
with a length greater than 64 kbytes. I'm curious to hear--what variant of the
ping of death would be allowed through?

dn





"Ge' Weijers" <ge () progressive-systems com> on 06/03/99 11:39:21 AM

To:   "Steven M. Bellovin" <smb () research att com>
cc:   Robert Graham <robert_david_graham () yahoo com>, Matt Curtin
      <cmcurtin () interhack net>, David Newman <dnewman () data com>,
      firewall-wizards () nfr net, firewalls () lists gnac net
bcc:  David Newman/NYC/CMPNotes
Subject:  Re: Firewall comparison in Data Communications




On Thu, Jun 03, 1999 at 07:44:58AM -0400, Steven M. Bellovin wrote:
> Right.  More fundamentally, firewalls can't protect you against bugs at
> a higher level of the protocol stack.  An IP+port number firewall (i.e.,
> a typical packet filter) is blind to TCP holes.  For that matter, it's
> blind to attacks based on other portions of the IP packet that it doesn't
> look at -- 'ping of death' comes to mind.

Even dynamic packet filters (marketing-speak: Multi-Layer Stateful
Inspection firewalls) only have limited value here. Most of them don't
match 'host/network unreachable' ICMP messages to actual connection
attempts. Not that this _can't_ be done correctly, the overhead is
just considered too high. And there's your hole to get a variant of
ping of death through.

Ge'


--
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220