Re: [PEN-TEST] IP fragmentation attack

[Tom Vandepoel <Tom.Vandepoel () UBIZEN COM>]

"Fabio Pietrosanti (naif)" wrote:
> Hi Dario,
>
> Working with Cisco PIX Firewall, i notice that NO malicious fragment
> should pass this statefull firewall, also the ios's CBAC with  "ip inspect
> fragment" every kind of attack that use fragmentation.
>
> My lab is doing an specific  pen test against two different lan segment
> > (Firewall and Ids Protected), with Ip Frag Attack.
> > Does somebody can highlight some real recent news about this issue ?
> > We already know the lance's, rfc's and DugSong paper about these argument;we
> > would like to know more info (and opinions) about the fact  that IP
> > fragmentation works as firewalls are supposed to keep the state of a
> > connection.
> > Thanks in advance
> >
> > dario


How many people here have *practical* experience with bypassing say a
IOS acl filter with IP frags? In theory it can be done, but it seems
that only very few people have actually succeedded in doing that.
Fragrouter might help, but it seems its primary use is to confuse NIDS
systems.

Nmap has a '-f' option that seems subject to a lot of caveats. It's
rumored to work on linux, and I've found one specific patch to nmap to
exploit this in an older vulnerability in ipchains (or was it ipfwadm?).
> From what I've gathered, there seem to be a lot of variations possible
and there is a lot of dependency on the type of OS  you're sending the
frags from. Anyone?

Tom.

--
_________________________________________________

Tom Vandepoel
Sr. Network Security Engineer

www.ubizen.com
tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
_________________________________________________

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature