RE: DROP or REJECT FILTERS for fragmented TCP scans

["David Gillett" <gillettdavid () fhda edu>]

> -----Original Message-----
> From: Ali Saifullah Khan [mailto:saifullah () attitudex com]
>
> How effective ( if affective ) would either IPTABLES REJECT 
> or DROP filters be in the case of fragmented scans where the 
> TCP header is divided over a range of smaller packets ? 

  My opinion is that any security barrier device worth its
salt should discard all IP fragments.  (I don't know what
iptables does, but that's my recommendation.)

  The problems with forwarding them intact are well documented.
  Some products attempt to deal with these problems by performing 
packet reassembly at the security device.  But I'm not sure that
that is useful, and the very act of performing packet reassembly
makes the device vulnerable to Denial-of-Service by targeting
that function.
  Clients can either have a working MTU setting, or perform 
MTU discovery.  So I don't think discarding fragments has to
break anything that's properly implemented.

  Most of the time that I see IP fragments on our network, they're
part of an unsophisticated brute-force attempt by compromised or
infected machines to overwhelm some target on the Internet (and
what they turn out to actually do is overwhelm OUR Internet
connection).  So the sooner I can discard that traffic, the better
for all.

David Gillett



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------