Re: block CodeRed/Nimda at the firewall?

From: RainbowHat (nHiATlE_at_blSackholeP.mAit.edMu.invalid)
Date: 05/16/03

• Next message: jack: "Re: how to start iptables on dsl ppp0"
• Previous message: Robert Delahunt: "newbie"
• In reply to: D. Stussy: "Re: block CodeRed/Nimda at the firewall?"
• Next in thread: RainbowHat: "Re: block CodeRed/Nimda at the firewall?"
• Reply: RainbowHat: "Re: block CodeRed/Nimda at the firewall?"
• Reply: D. Stussy: "Re: block CodeRed/Nimda at the firewall?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 16 May 2003 11:10:17 +0000 (UTC)

< D. Stussy

>1) UDP packets cannot be fragmented. Only TCP packets can.
     ~~~ ~~~ ~~~~
Wrong. All IP packets can be fragmented.

>2) Some TCP implementations may try fragmented packets before falling back to
     ~~~~ ~~~
     Most IP
>unfragmented ones. Furthermore, it's always possible that a packet may come
>over some link that has a different (smaller) MTU than the other links in that
>transmission and thus be fragmented. It's possible that your machine is left
>to do the reintegration....

"Fragmentation" is a concept of IP layer. TCP|UDP are another layer.
TCP have a concept of "Segmentation". TCP negotiate MSS (Maximum
Segment Size) at 3-way handshake. (Or use default smallest MSS if no
TCP MSS option.) UDP don't have this mechanism. UDP and ICMP large
echo/reply will be IP fragment. Some few cases that TCP will be IP
fragment as you described.

BTW there are PMTUD (Path MTU Discovery) capability.

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

---

• Next message: jack: "Re: how to start iptables on dsl ppp0"
• Previous message: Robert Delahunt: "newbie"
• In reply to: D. Stussy: "Re: block CodeRed/Nimda at the firewall?"
• Next in thread: RainbowHat: "Re: block CodeRed/Nimda at the firewall?"
• Reply: RainbowHat: "Re: block CodeRed/Nimda at the firewall?"
• Reply: D. Stussy: "Re: block CodeRed/Nimda at the firewall?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: [Full-Disclosure] A new TCP/IP blind data injection technique? ... For example the BorderWare Firewall will not accept fragmented packets, ... Then pass or drop the packet. ... > should be fairly easy to turn this into a practical attack. ... The other fragment of Bob's packet carry the ... (Full-Disclosure) Re: OID_TCP_TASK_OFFLOAD question ... Well, right, TCP packets will not fragment at sender because there is no ... you just send up to the MTU limit. ... a TCP segment usually fits in a single network packet at the ... (microsoft.public.development.device.drivers) Re: Sockets: How to force recv of unknown data size (all data) ... >>this mean the packet gets splitted into two sends? ... TCP will typically fragment in MSS-sized packets ... >to opinions held by my employer, ... (comp.unix.programmer) Re: 8159 bytes takes 20 ms, 8160 bytes takes 200 ms? ... look for Nagle algorithm in TCP ... > this is what etheral shows, a packet with ack and push flag set, and win2k ... > Header length: 20 bytes ... > Fragment offset: 0 ... (microsoft.public.win32.programmer.networks) Re: sshd hangs after SSH2_MSG_KEXINIT sent - Fedora Core 5 update ... For each network interface on both client and server set the MTU to 576, ... Only the first fragment has TCP port numbers. ... such devices should perform packet reassembly first so as to properly consider fragmented packets. ... (SSH)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2003-05