Security Incidents mailing list archives
RE: streams of fragments...
From: Rich Ostergard <rostergard () radiocentral com>
Date: Wed, 18 Jul 2001 15:50:19 -0700
You could get around this by setting the MTU to 1480, thus making it divisible by 8. This also has the added bonus of reducing the network overhead by 98.7% All this info is in that fragmentation paper posted Dug Song, I highly recommend reading it. -----Original Message----- From: Portnoy, Gary [mailto:gportnoy () belenosinc com] Sent: Wednesday, July 18, 2001 11:47 AM To: 'Jose Nazario'; Gamble Cc: Russell Fulton; incidents () securityfocus com Subject: RE: streams of fragments... There wouldn't be any harm in blocking all fragmented packets, unless your users VPN in. I know that certain VPN protocols encapsulate the IP data, creating packets larger than the Ethernet MTU of 1500. This causes the packet to be fragmented. Just a word of advice: be careful. Sniff your network to make sure that you don't normally generate or receive fragmented packets... -Gary- -----Original Message----- From: Jose Nazario [mailto:jose () biocserver BIOC cwru edu] Sent: Wednesday, July 18, 2001 1:10 PM To: Gamble Cc: Russell Fulton; incidents () securityfocus com Subject: Re: streams of fragments... On Wed, 18 Jul 2001, Gamble wrote:
This sounds like a DOS attack. By sending you many fragmented packets the attacker could consume a lot of the memory on your machine. You could counter this by blocking all IP fragments on your firewall, but that would also prevent legitimate activities.
a lot of sites block fragments to no great loss of theirs. in this day and
age it's usually not needed. i found this out some years ago helping a
friend with a Linux firewall on his PPP link. his ISP had a PPP MTU of
about 576, but his ethernet frames were set to an MTU 1500, and your
guessed it, he generated fragments. some sites were totally inaccessible
until he tuned down his MTU to under 576 on his internal ethernet LAN.
they're big names, but i wont post them here. *shrug* block fragments is
not that bad to do these days.
____________________________
jose nazario jose () cwru edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
Current thread:
- streams of fragments... Russell Fulton (Jul 17)
- Re: streams of fragments... Gamble (Jul 18)
- Re: streams of fragments... Jose Nazario (Jul 18)
- Re: streams of fragments... Dug Song (Jul 18)
- Re: streams of fragments... Russell Fulton (Jul 18)
- Re: streams of fragments... Jose Nazario (Jul 18)
- Re: streams of fragments... Burak DAYIOGLU (Jul 18)
- <Possible follow-ups>
- RE: streams of fragments... Portnoy, Gary (Jul 18)
- RE: streams of fragments... Rich Ostergard (Jul 18)
- Re: streams of fragments... Gamble (Jul 18)