Re: Firewall comparison in Data Communications

["Ge' Weijers" <ge () progressive-systems com>]

On Thu, Jun 03, 1999 at 11:45:24AM -0400, dnewman () cmp com wrote:
> Most SPF products (including all those in the Data Comm) has specific anti-ping
> o' death routines. True, this usually isn't part of the SPF itself. But there
> are safeguards in place against common attacks like IP spoofing, SYN flooding,
> ping of death, and the like.
>
> In the case of the ping of death, I presume these routines drop ICMP packets
> with a length greater than 64 kbytes. I'm curious to hear--what variant of the
> ping of death would be allowed through?
>
> dn

I'm sure that most commercial firewalls now filter on fragments whose
last byte extends past the 64K limit. My example could have been
better, so let's try again:

Old SunOS systems handle 'Host unreachable' messages by dropping all
connections to the unreachable host. If you've got one of those behind
your firewall running legacy stuff you can mount a denial of service
attack on it by sending it 'host unreachable' messages that claim that
a machine it's talking to is offline. This SunOS behavior is _wrong_,
but the packets look perfectly valid. In my (limited) experience SPFs
don't inspect the payload of the ICMP packet to check it for
plausibility, for performance reasons. They rely on the host
'protected' by the firewall to do the right thing. All packet filters,
static or dynamic, do this to some extent. 

The next big exploit may get through an SPF in a similar way. It's
unlikely that this exploit will enable anyone to gain access to the
machine, but it'll be another DoS. 

Sorry for the confusion.

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220