Bugtraq mailing list archives

Re: FW-1 IP Fragmentation Vulnerability

From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 7 Jun 2000 01:54:41 +1000


In some mail from Lance Spitzner, sie said:
[...]

Other firewalls may have the same problem and vulnerability.

[...]

FWIW, IP Filter doesn't do any packet reconstruction for fragmentation
nor output large amounts of messages to the console.  It will let you
block/log them to your hearts content and at the same time supports
passing of fragments through which are seen to be part of kept state
(limitatins apply) without needing to defragment things.  Consequently
there are the usual DoS issues with full tables, etc - there is only
so much you can do.  For the most part, the Internet is largely fragment
free so blocking them is a real solution/alternative.

Back when I learnt about networking, they explained that defragmenting
of packets by routers (i.e. packet filtering firewalls) was bad for
various reasons, the main one being buffer shortages leading to deadlock
of passing packets.  Seems there are more reasons not to do this :)

I'm almost tempted to suggest people use IP Filter to protect FW-1 on
Solaris boxes (i.e. block fragment packets) but I've no idea if that
would actually work :-)  I suspect "not yet" is the answer (the next
major version of IP Filter would make that possible, I think :).

Happy Hacking,
Darren

Current thread:

FW-1 IP Fragmentation Vulnerability Lance Spitzner (Jun 05)
- Re: FW-1 IP Fragmentation Vulnerability Chris Brenton (Jun 06)
  - Re: FW-1 IP Fragmentation Vulnerability Thomas Willert (Jun 29)
- Re: FW-1 IP Fragmentation Vulnerability Darren Reed (Jun 06)
- Caldera Security Advisory CSSA-2000-015: suid root KDE applications Caldera Systems Security (Jun 06)
- Shiva Access Manager 5.0.0 Plaintext LDAP root password. Blaise St. Laurent (Jun 06)
- MDMA Advisory #6: EServ Logging Heap Overflow Vulnerability Drew (Jun 06)