Firewall Wizards mailing list archives
Re: Firewall comparison in Data Communications
From: "Ge' Weijers" <ge () progressive-systems com>
Date: Thu, 3 Jun 1999 12:32:57 -0400
On Thu, Jun 03, 1999 at 11:45:24AM -0400, dnewman () cmp com wrote:
Most SPF products (including all those in the Data Comm) has specific anti-ping o' death routines. True, this usually isn't part of the SPF itself. But there are safeguards in place against common attacks like IP spoofing, SYN flooding, ping of death, and the like. In the case of the ping of death, I presume these routines drop ICMP packets with a length greater than 64 kbytes. I'm curious to hear--what variant of the ping of death would be allowed through? dn
I'm sure that most commercial firewalls now filter on fragments whose last byte extends past the 64K limit. My example could have been better, so let's try again: Old SunOS systems handle 'Host unreachable' messages by dropping all connections to the unreachable host. If you've got one of those behind your firewall running legacy stuff you can mount a denial of service attack on it by sending it 'host unreachable' messages that claim that a machine it's talking to is offline. This SunOS behavior is _wrong_, but the packets look perfectly valid. In my (limited) experience SPFs don't inspect the payload of the ICMP packet to check it for plausibility, for performance reasons. They rely on the host 'protected' by the firewall to do the right thing. All packet filters, static or dynamic, do this to some extent. The next big exploit may get through an SPF in a similar way. It's unlikely that this exploit will enable anyone to gain access to the machine, but it'll be another DoS. Sorry for the confusion. Ge' -- - Ge' Weijers Voice: (614)326 4600 Progressive Systems, Inc. FAX: (614)326 4601 2000 West Henderson Rd. Suite 400, Columbus OH 43220
Current thread:
- RE: Firewall comparison in Data Communications, (continued)
- RE: Firewall comparison in Data Communications David Newman (Jun 02)
- RE: Firewall comparison in Data Communications Kevin Steves (Jun 14)
- RE: Firewall comparison in Data Communications W J La Cholter (Jun 03)
- Re: Firewall comparison in Data Communications Don Kendrick (Jun 03)
- RE: Firewall comparison in Data Communications Russ (Jun 03)
- RE: Firewall comparison in Data Communications csingletary (Jun 03)
- RE: Firewall comparison in Data Communications Rob Polansky (Jun 04)
- Re: Firewall comparison in Data Communications Steven M. Bellovin (Jun 03)
- Re: Firewall comparison in Data Communications Ge' Weijers (Jun 03)
- Re: Firewall comparison in Data Communications dnewman (Jun 03)
- Re: Firewall comparison in Data Communications Ge' Weijers (Jun 03)
- Re: Firewall comparison in Data Communications Kevin Steves (Jun 14)
- RE: Firewall comparison in Data Communications Robert Graham (Jun 03)
- RE: Firewall comparison in Data Communications David Newman (Jun 02)