Bugtraq mailing list archives

Blocking IP Options (was Re: Remote DoS in Axent's Raptor 6.0)

From: kadokev () MSG NET (kadokev () MSG NET)
Date: Thu, 28 Oct 1999 11:09:02 -0500

      Can anyone point me to some info on blocking ip options?
      A search of cisco's site and dejanews does not show anything.

Hal Kuff
TESSCO Technologies


IOS has support for blocking a few IP Options, including source route and
IP security, however the PIX firewall seems to be the only Cisco product that
appears to block the more obscure options.

Darren Reed's IP Filter, (see http://newcoombs.anu.edu.au/~avalon/ for details)
is a free packet filter as a loadable kernel module, runs on many Unix
platforms, and is included in the current (Free|Net|Open)BSD distributions.

IP Filter (ipf) can block IP Options and all short fragments.  Where I have
installed ipf, the ipf.rules file usually begins with:

        block in quick from any to any with short frag
        block in quick all with ipopts

I usually then go on to block spoofed packets, including the RFC 1597 source
addresses, and for the truly paranoid, any packets claiming the 127. network
exists on other than the loopback interface.

Kevin

Current thread:

Re: Remote DoS in Axent's Raptor 6.0 Inc, MSG.Net (Oct 26)
- <Possible follow-ups>
- Re: Remote DoS in Axent's Raptor 6.0 der Mouse (Oct 27)
- Re: Remote DoS in Axent's Raptor 6.0 Kuff, Hal (Oct 28)
  - Blocking IP Options (was Re: Remote DoS in Axent's Raptor 6.0) kadokev () MSG NET (Oct 28)