Re: [fw-wiz] CERT vulnerability note VU# 539363 (fwd)

From: Mike Frantzen (
Date: 10/22/02

From: Mike Frantzen <>
To: Darren Reed <>
Date: Tue Oct 22 12:14:19 2002

> Mike's "reference" here is the hash table IPFilter uses (maybe others).
> FWIW, it gets distributed with a predefined size and most likely most
> people never change this. That said, nobody has ever come to me and
> said "here's a patch to fix it" or "my firewall is running like a dog
> because of this attack". Be that as it may, code has been in place for
> some time to address this issue, in future, using a secret.

Most firewalls I've seen used a hash table that could be attacked.
Linux's Netfilter (2.4 and 2.5) too. It chooses its size based on the
memory size in the machine though.
Hell. I wrote one a few summers back over the course of a few weekends
which had a very easily attacked state table too.

I'm looking forward to how you encorporate a secret into the hash.
There isn't enough good cryptographer blood in me to trust myself to
write a safe hash function.