RE: DROP or REJECT FILTERS for fragmented TCP scans

From: David Gillett (
Date: 04/17/03

  • Next message: Nickels, Walter P (Nick), SOLCM: "RE: Home LAN Needs Opinion"
    From: "David Gillett" <>
    To: <>
    Date: Thu, 17 Apr 2003 13:54:30 -0700

    > -----Original Message-----
    > From: Ali Saifullah Khan []
    > How effective ( if affective ) would either IPTABLES REJECT
    > or DROP filters be in the case of fragmented scans where the
    > TCP header is divided over a range of smaller packets ?

      My opinion is that any security barrier device worth its
    salt should discard all IP fragments. (I don't know what
    iptables does, but that's my recommendation.)

      The problems with forwarding them intact are well documented.
      Some products attempt to deal with these problems by performing
    packet reassembly at the security device. But I'm not sure that
    that is useful, and the very act of performing packet reassembly
    makes the device vulnerable to Denial-of-Service by targeting
    that function.
      Clients can either have a working MTU setting, or perform
    MTU discovery. So I don't think discarding fragments has to
    break anything that's properly implemented.

      Most of the time that I see IP fragments on our network, they're
    part of an unsophisticated brute-force attempt by compromised or
    infected machines to overwhelm some target on the Internet (and
    what they turn out to actually do is overwhelm OUR Internet
    connection). So the sooner I can discard that traffic, the better
    for all.

    David Gillett

    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place.

  • Next message: Nickels, Walter P (Nick), SOLCM: "RE: Home LAN Needs Opinion"