[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCP small fragments



40 byte SYN is different from a fragmented TCP header. Yes you are correct, you can stop anything depending on the time and effort you want put in ($$). I guess one can theoretically create a signature for every permutation of the TCP header to stop it getting through.

Coming back to original point on stacks and server crashing, a well designed stack/driver should not process anything that does not adhere to specification, it should simply ignore and act on them. This may not stop the intruder but it will stop the server from crashing.

A sound security implementation coupled with a good audit policy should discover fragmentation issue.

Pall

On Feb 16, 2005, at 1:44 PM, Greg Sayadian wrote:

I agree that malformed packets are suspicious. But I disagree that you cannot stop them. That what my point. In my example the malformed packet was a 40 byte SYN, it could be anything. With some vendors (be it router or stateful firewall) you have the option of filtering on these types of packets so long as you know the signature. Other vendors however have no capability and pass anything with an IP address.

Greg

pmrn wrote:
Hi,
I understood your point about Firewalls. Understand Prof. Bellovian's point also. The point I was trying to make is that it is a malformed packet and IMHO, all malformed packets are suspicious. I believe, Prof. Bellovian published paper on this (not sure). Read it long time ago.
It is a well known technique used by attackers to evade firewalls. All malformed packets are suspicious in my opinion. You get them, can't stop them and some are more harmful than others, in this case crashing hosts.
By the way who said Firewall is a Rock Solid security mechanism, it is something better than nothing kind of thing.
Pall
On Feb 16, 2005, at 10:05 AM, Greg Sayadian wrote:
It is certainly possible with some routers to implement filtering
based on packet size. And as we know per RFC that valid packets have
a minimum size. So you can do things like filter on 40 byte SYN
packets and drop, count, log, etc. However some routers don't do
this and will pass any fragment with a MF bit set. This translates
into firewall vendors as well. To get the legitimate answer to your
question you will need to look at the specific device you are
interested in and see how it reacts.
Greg
Steven M. Bellovin wrote:
In message

<BB6D74C75CC76A419B6D6FA7C38317B2628B83@sinett-sbs.SiNett.LAN>,
"Vis
hwas Manral" writes:
Hi Pall,
We are not talking about right implementations of IP
fragmentation. We are tal
king about what firewalls do in case of small fragments
hwhich can be caused b
y an attack.
Are such fragments discarded by the firewall in ISP(is it an
option to discard
it)?
The problem is very well known in the firewall community. For
that matter, see RFC 1858, which documents it. I believe that
most firewall products handle it properly.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
-- <><
Greg Sayadian
AOL
703-265-2483
*Pall Ramanathan
Work: 678-9359670
Mobile: 678-576-7105
www.amalannetworks.com*
*Learn like you will live for ever and Live like you will die tomorrow-Gandhi*

--
<><
Greg Sayadian
AOL
703-265-2483

Pall Ramanathan
Work: 678-9359670
Mobile: 678-576-7105

www.amalannetworks.com


Learn like you will live for ever and Live like you will die tomorrow-Gandhi