nanog mailing list archives
Re: Firewall stateful handling of ICMP packets
From: Valdis.Kletnieks () vt edu
Date: Wed, 03 Dec 2003 22:53:51 -0500
On Wed, 03 Dec 2003 15:57:37 PST, Owen DeLong <owen () delong com> said:
around. (In fact, I'm hard pressed to imagine how a Frag needed packet for an invalid session could do much of anything).
You can use a forged 'frag needed' to stomp an existing connection of the victim's down to 64 byte MTU or similar silliness, but other than sheer "it's a packet" DDoS effects, I can't think of a malicious use for one for an invalid session either....
Attachment:
_bin
Description:
Current thread:
- MTU path discovery and IPSec jgraun (Dec 03)
- Re: MTU path discovery and IPSec Steven M. Bellovin (Dec 03)
- Re: MTU path discovery and IPSec Owen DeLong (Dec 03)
- Re: MTU path discovery and IPSec Valdis . Kletnieks (Dec 03)
- Re: MTU path discovery and IPSec Owen DeLong (Dec 03)
- <Possible follow-ups>
- RE: MTU path discovery and IPSec cproctor (Dec 03)
- Re: MTU path discovery and IPSec David Sinn (Dec 03)
- Firewall stateful handling of ICMP packets Sean Donelan (Dec 03)
- Re: Firewall stateful handling of ICMP packets Owen DeLong (Dec 03)
- Re: Firewall stateful handling of ICMP packets Valdis . Kletnieks (Dec 03)
- Re: Firewall stateful handling of ICMP packets Owen DeLong (Dec 03)
- Re: MTU path discovery and IPSec David Sinn (Dec 03)
- Re: Firewall stateful handling of ICMP packets Henry Linneweh (Dec 03)
- Re: MTU path discovery and IPSec Steven M. Bellovin (Dec 03)
- Re: MTU path discovery and IPSec Tony Rall (Dec 04)
- Re: MTU path discovery and IPSec Joe Maimon (Dec 04)
- Re: MTU path discovery and IPSec Valdis . Kletnieks (Dec 04)
- Re: MTU path discovery and IPSec Barney Wolff (Dec 04)
- Re: MTU path discovery and IPSec Joe Maimon (Dec 04)
- Re: MTU path discovery and IPSec Valdis . Kletnieks (Dec 04)
- Re: MTU path discovery and IPSec Joe Maimon (Dec 04)
- Re: MTU path discovery and IPSec Crist Clark (Dec 04)