RE: DROP or REJECT FILTERS for fragmented TCP scans

From: David Gillett (
Date: 04/17/03

  • Next message: Nickels, Walter P (Nick), SOLCM: "RE: Home LAN Needs Opinion"
    From: "David Gillett" <>
    To: <>
    Date: Thu, 17 Apr 2003 13:54:30 -0700

    > -----Original Message-----
    > From: Ali Saifullah Khan []
    > How effective ( if affective ) would either IPTABLES REJECT
    > or DROP filters be in the case of fragmented scans where the
    > TCP header is divided over a range of smaller packets ?

      My opinion is that any security barrier device worth its
    salt should discard all IP fragments. (I don't know what
    iptables does, but that's my recommendation.)

      The problems with forwarding them intact are well documented.
      Some products attempt to deal with these problems by performing
    packet reassembly at the security device. But I'm not sure that
    that is useful, and the very act of performing packet reassembly
    makes the device vulnerable to Denial-of-Service by targeting
    that function.
      Clients can either have a working MTU setting, or perform
    MTU discovery. So I don't think discarding fragments has to
    break anything that's properly implemented.

      Most of the time that I see IP fragments on our network, they're
    part of an unsophisticated brute-force attempt by compromised or
    infected machines to overwhelm some target on the Internet (and
    what they turn out to actually do is overwhelm OUR Internet
    connection). So the sooner I can discard that traffic, the better
    for all.

    David Gillett

    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place.

  • Next message: Nickels, Walter P (Nick), SOLCM: "RE: Home LAN Needs Opinion"

    Relevant Pages

    • Re: [FIX] dummynet breaks IP reassembly
      ... When forwarding fragmented packets through a dummynet pipe ... delivery sets ip_id of all fragments to different values, ... This bit was kept in the dummynet packet ...
    • Re: Two minor IPFW-related questions
      ... packate fragments out there on the Internet? ... First let me send a big THANK YOU to Giorgos Keramidas for providing such ... timely and detailed replies to my IPFW questions. ... I do believe that these packet fragments ...
    • RE: Reassembling IP packet Fragments w/o First Fragment
      ... If you force packet reassembly to occur on a router/firewall, ... If you drop second/subsequent fragments that arrive before the ... > packets once they all pass through the firewall. ...
    • Re: RFC: MTU for serving NFS on Infiniband
      ... packet payload in a linear buffer. ... MTU-sized fragments, ... generate packets smaller than the MTU. ... the UDP checksum is so weak that the resulting UDP packet will be consumed by the NFS ...
    • RE: IDSIPS that can handle one Gig
      ... make "any sense in real world security policy". ... devices through use of fragments. ... traffic, an attack can spread itself across multiple packets, which all ... Find out quickly and easily by testing it with real-world attacks from ...