I was thinking of useing the CBAC. You can have it look at fragmented
packets and set a timeout. Cisco had a problem in the PIX and CBAC in 1998
but made a fix for it.
Neil
"David" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> What is even more fun is trying to send a packet requiring fragmentation
> from Linux through a firewall! A small snippet in the kernel source
> shows that linux will fragment a packet and send the LAST fragment
> first, for various reasons that I don't completely understand. This
> means that the first fragment of a packet from a linux host will have no
> layer 4 info! What is a firewall supposed to do with that other then
> hold it in memory, and use some kind of timers and DoS checking code in
> the firmware? I only dealt with this on the Netscreens, and they
> currently pass the fragments through for this reason if I remember
> correctly. This isn't perfect, but not too bad, because the host can
> most likely handle this better then a firewall handling thousands of
> connections for all hosts with a limited memory capacity.
>
> David
>
>
> Nimesh Vakharia wrote:
> >
> > I am curious how the PIX handles this exploit.
> >
> > The exploit is Checkpoint reassembles fragmented packet before
forwarding.
> > But it does not inspect the packet in any way until it has completely
> > built the packet... so you can keep sending multiple fragments and it
> > keeps reassembling, using up system resources and probably crash at one
> > point. Checkpoint supposedly does not check against its rule base
> > (conduit/statics in PIX) when it receives a fragmented packet!
> >
> > I vaguely remember that the PIX ignores the first fragment of the
> > entire series (if it maches the rules) and forwards everything after
that.
> > This way irrespective of how malicious the fragment is, it never gets
> > built at the host end....Can anyone confirm as to how the PIX handles
> > fragmented packets?
> >
> > BTW: Check out
> > http://www.enteract.com/~lspitz/fwtable.html
> >
> > This really shows how much work need to be done on firewall code!
> > - Stateful monitoring is a joke
> > - No inspection on sequence nos.
> > - Fragments!
> >
> > Nimesh.
> >
> > On Fri, 9 Jun 2000, Richard Holland wrote:
> >
> > > This is a bit off-topic, but I recall a discussion of using
Checkpoint
> > > firewall, and thought I'd share a SANS security newsletter concerning
> > > checkpoint.
> > >
> > > "It's possible to use various fragmented packets (such as those
generated by
> > > Jolt2.c) to cause the firewall to crash or operate at 100% CPU
utilization.
> > > Firewall rules are ineffective for defense. More information is in
this
> > > issue as item {00.24.025} ("Check Point FireWall-1 fragmentation
DoS")."
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> ---
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
