Snort mailing list archives
Re: fragroute vs. snort: the tempest in a teacup
From: Francis Cianfrocca <francis () tempest com>
Date: Thu, 18 Apr 2002 15:33:53 -0400
Sorry for changing the subject, but what is the general state of the art on application-level firewalls? Are any of them ready for prime time?
-hedd Dug Song wrote:
On Wed, Apr 17, 2002 at 11:11:54PM +0000, Dragos Ruiu wrote:First, this is not a snort-only issue, as I would wager other idses have as many if not more evasion modes as well as sharing these with Snort...absolutely correct. Snort, i'd wager, does much better than most. most stateful inspection firewalls and "intrusion prevention" or other application-layer content filtering devices (e.g. Cisco NBAR) have similar vulnerabilities that may be tested with fragroute.Most firewalls these days (especially Linux and OpenBSD ones) actually do reassembly inbound.this isn't quite true. most stateful inspection firewalls do "virtual reassembly" for IP fragments, and a few do basic window tracking for TCP connections, but will still allow most fragroute-style attacks through (e.g. duplicate overwriting TCP segments with older TCP timestamp options for PAWS elimination, short TTLs, etc.). your best bet (for the truly paranoid) is an application-layer firewall, but we all knew that already. :-) TCP scrubbers, as proposed by Malan, Paxson, et al. [1] [2] and implemented by Provos, Paxson, et al. [3] [4] are a good intermediate solution, but haven't found widespread deployment.This was an interesting point discovered recently when it was realized that the snort defragger was actually never getting touched at all in some installations.IP fragmentation is rare to begin with [5], so i wouldn't chalk this up to firewall magic - especially when all major firewalls still pass fragments in their default configuration, and ONLY OpenBSD pf and Linux netfilter can actually be configured to reassemble. even fewer track TCP windows, options, etc... -d. [1] http://www.eecs.umich.edu/~rmalan/publications/mwjhInfocomm2000.ps.gz [2] http://www.icir.org/vern/papers/norm-usenix-sec-01.ps.gz [3] http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_norm.c [4] http://www.mirrors.wiretapped.net/security/network-intrusion-detection/norm/ [5] http://www.caida.org/outreach/papers/2001/Frag/ --- http://www.monkey.org/~dugsong/
Current thread:
- fragroute vs. snort: the tempest in a teacup Dragos Ruiu (Apr 17)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 19)
- RE: fragroute vs. snort: the tempest in a teacup Enno Rey (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Marco Thorbruegge (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Crist J. Clark (Apr 20)
- Re: fragroute vs. snort: the tempest in a teacup Francis Cianfrocca (Apr 18)
- Re: Re: fragroute vs. snort: the tempest in a teacup Jason Haar (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
- <Possible follow-ups>
- Re: fragroute vs. snort: the tempest in a teacup Brad Powell (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Steven M. Bellovin (Apr 19)
- RE: fragroute vs. snort: the tempest in a teacup Craig, Scott (Apr 25)
- RE: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 25)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)