RE: TCP small fragments

["Vishwas Manral" <Vishwas@sinett.com>]

Hi Steve,

 

I have been wondering about Tiny Fragments check for TCP for IPv6, as there can be many extension headers between the TCP and the IPv6 standard header, we may have fragmented TCP packets?

 

The fragmentation I guess does not see if it is fragmenting the inner TCP header or not(which is way inside the packet).

 

Thanks,

Vishwas

---

From: pmrn [mailto:pmrn@mac.com]
Sent: Wednesday, February 16, 2005 10:34 PM
To: Greg Sayadian
Cc: Steven M. Bellovin; opsec@ops.ietf.org; Vishwas Manral
Subject: Re: TCP small fragments

 

Hi,

I understood your point about Firewalls. Understand Prof. Bellovian's point also. The point I was trying to make is that it is a malformed packet and IMHO, all malformed packets are suspicious. I believe, Prof. Bellovian published paper on this (not sure). Read it long time ago.

 

It is a well known technique used by attackers to evade firewalls. All malformed packets are suspicious in my opinion. You get them, can't stop them and some are more harmful than others, in this case crashing hosts.

 

By the way who said Firewall is a Rock Solid security mechanism, it is something better than nothing kind of thing.

 

Pall

 

On Feb 16, 2005, at 10:05 AM, Greg Sayadian wrote:

 

It is certainly possible with some routers to implement filtering based on packet size. And as we know per RFC that valid packets have a minimum size. So you can do things like filter on 40 byte SYN packets and drop, count, log, etc. However some routers don't do this and will pass any fragment with a MF bit set. This translates into firewall vendors as well. To get the legitimate answer to your question you will need to look at the specific device you are interested in and see how it reacts.

 

Greg

 

Steven M. Bellovin wrote:

In message <BB6D74C75CC76A419B6D6FA7C38317B2628B83@sinett-sbs.SiNett.LAN>, "Vis

hwas Manral" writes:

Hi Pall,

 

We are not talking about right implementations of IP fragmentation. We are tal

king about what firewalls do in case of small fragments hwhich can be caused b

y an attack.

Are such fragments discarded by the firewall in ISP(is it an option to discard

it)?

 

The problem is very well known in the firewall community. For that matter, see RFC 1858, which documents it. I believe that most firewall products handle it properly.

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb

 

--

<><

Greg Sayadian

AOL

703-265-2483

 

Pall Ramanathan

Work: 678-9359670

Mobile: 678-576-7105

 

www.amalannetworks.com

 

Learn like you will live for ever and Live like you will die tomorrow-Gandhi