Re: Clever firewall rules

From: Pete Toscano (pete@research.netsol.com)
Date: 09/14/01


Date: Fri, 14 Sep 2001 11:24:19 -0400
From: Pete Toscano <pete@research.netsol.com>
To: focus-linux <focus-linux@lists.securityfocus.com>
Subject: Re: Clever firewall rules
Message-ID: <20010914112419.B1667@tesla.admin.cto.netsol.com>



On Thu, 13 Sep 2001, Seth Arnold wrote:

> > Just drops fragments. I'm not really an expert on this, but I heard that
> > fragments can be used maliciously (in port scans and such) and have little
> > to no valid use nowadays, so I thought it might be smart to block them.
[snip]
> they are still very valid. With many hosts pumping out packets for
> ethernet, then a gateway encapsulating those for ipsec/ssh/vpns/etc,
> packets often get fragmented.

Very good point. I've already encountered problems with some load
balancers not correctly handling fragmented UDP packets. A lot of these
secure protocols (don't forget DNSSEC =) can generate packets > a
machine's MTU.

pete

-- 
Pete Toscano            pete@research.netsol.com            703.948.3364




Relevant Pages

  • RE: IDSIPS that can handle one Gig
    ... devices through use of fragments. ... traffic, an attack can spread itself across multiple packets, which all get ... and totally abused by most vendors on their ... Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • RE: IDSIPS that can handle one Gig
    ... make "any sense in real world security policy". ... devices through use of fragments. ... traffic, an attack can spread itself across multiple packets, which all ... Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • Re: dummynet dropping too many packets
    ... injection of packets by dummynet to attempt to reduce the peaks of burstiness that occur when multiple queues inject packets in a burst that exceeds the queue depth supported by combined hardware descriptor rings and software transmit queue. ... That said, in your configuration I see little argument for a lower timer rate: you need to burst packets at frequent intervals or risk overfilling queues, and the overheads of additional timer tickets on your system shouldn't be too bad as you have both very fast hardware and a lot of idle time. ... 147 fragments dropped ...
    (freebsd-net)
  • panic: sched_priority: invalid priority 2906: nice 0, ticks 122865664 ftick 516947 ltick 517947 tick
    ... 21240 data packets ... discarded for bad header offset fields ... connections established ... fragments dropped ...
    (freebsd-current)
  • Re: Question Regarding Firewall Settings on Linksys Gateway-Router
    ... > and enabling Block Anonymous Internet Requests, ... > Fragmented IP Packets, and Filter Multicast? ... fragments will block the application. ... Multicast is the same category. ...
    (comp.security.firewalls)