Security Basics mailing list archives
RE: DROP or REJECT FILTERS for fragmented TCP scans
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 17 Apr 2003 13:54:30 -0700
-----Original Message----- From: Ali Saifullah Khan [mailto:saifullah () attitudex com] How effective ( if affective ) would either IPTABLES REJECT or DROP filters be in the case of fragmented scans where the TCP header is divided over a range of smaller packets ?
My opinion is that any security barrier device worth its salt should discard all IP fragments. (I don't know what iptables does, but that's my recommendation.) The problems with forwarding them intact are well documented. Some products attempt to deal with these problems by performing packet reassembly at the security device. But I'm not sure that that is useful, and the very act of performing packet reassembly makes the device vulnerable to Denial-of-Service by targeting that function. Clients can either have a working MTU setting, or perform MTU discovery. So I don't think discarding fragments has to break anything that's properly implemented. Most of the time that I see IP fragments on our network, they're part of an unsophisticated brute-force attempt by compromised or infected machines to overwhelm some target on the Internet (and what they turn out to actually do is overwhelm OUR Internet connection). So the sooner I can discard that traffic, the better for all. David Gillett --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- DROP or REJECT FILTERS for fragmented TCP scans Ali Saifullah Khan (Apr 17)
- RE: DROP or REJECT FILTERS for fragmented TCP scans Jon Pastore (Apr 17)
- RE: DROP or REJECT FILTERS for fragmented TCP scans David Gillett (Apr 17)