[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: TCP small fragments



Cisco changed their acl language to include "fragment" as part of the
language.
This paper explains what they did and why.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper0918
6a00800949b8.shtml

Fragments are not malformed. Unusual maybe but it really depends on
where your seeing them.


-----Original Message-----
From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On Behalf Of pmrn
Sent: Wednesday, February 16, 2005 10:04 AM
To: Greg Sayadian
Cc: Steven M. Bellovin; opsec@ops.ietf.org; Vishwas Manral
Subject: Re: TCP small fragments


Hi, 
I understood your point about Firewalls. Understand Prof. Bellovian's
point also. The point I was trying to make is that it is a malformed
packet and IMHO, all malformed packets are suspicious. I believe, Prof.
Bellovian published paper on this (not sure). Read it long time ago. 


It is a well known technique used by attackers to evade firewalls. All
malformed packets are suspicious in my opinion. You get them, can't stop
them and some are more harmful than others, in this case crashing hosts.



By the way who said Firewall is a Rock Solid security mechanism, it is
something better than nothing kind of thing. 


Pall 


On Feb 16, 2005, at 10:05 AM, Greg Sayadian wrote: 


It is certainly possible with some routers to implement filtering based
on packet size. And as we know per RFC that valid packets have a minimum
size. So you can do things like filter on 40 byte SYN packets and drop,
count, log, etc. However some routers don't do this and will pass any
fragment with a MF bit set. This translates into firewall vendors as
well. To get the legitimate answer to your question you will need to
look at the specific device you are interested in and see how it reacts.



Greg 


Steven M. Bellovin wrote: 
In message
<BB6D74C75CC76A419B6D6FA7C38317B2628B83@sinett-sbs.SiNett.LAN>, "Vis 
hwas Manral" writes: 
Hi Pall, 


We are not talking about right implementations of IP fragmentation. We
are tal 
king about what firewalls do in case of small fragments hwhich can be
caused b 
y an attack. 
Are such fragments discarded by the firewall in ISP(is it an option to
discard 
it)? 


The problem is very well known in the firewall community. For that
matter, see RFC 1858, which documents it. I believe that most firewall
products handle it properly. 
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb 


-- 
<>< 
Greg Sayadian 
AOL 
703-265-2483 



Pall Ramanathan 
Work: 678-9359670 
Mobile: 678-576-7105 


www.amalannetworks.com 


Learn like you will live for ever and Live like you will die
tomorrow-Gandhi