(Gee, lots of xrefs in this mail, hope it gets through to everyone)
Steve J Kuo wrote:
>
> "If a continuous stream of fragmented IP datagrams with a particular
> malformation were sent to an affected machine...."
The exact vulnerability consists of sending 150+ _identical_
fragments to a machine. There's nothing malformed about them.
There's just a whole lot of DUPed fragments.
> Do we know for sure if Gauntlet (plug or proxy) or Checkpoint (stateful
> inspection) can block this vulnerability?
Proxy firewalls (no stateless packet filtering cheats installed) won't
let things like these through since the packet will fail to reassemble.
The question is if the firewall itself will survive, lest it DoS your
entire internet connection (ouch!).
(IMHO, this is a problem that proxy people fail to mention when they
discuss transport/network level DoS attacks)
I don't know how well Gauntlet on NT handles this. Someone else?
Stateful inspection firewalls worth their name ought to be able
to protect you from this if the guy that coded the fragment
(pseudo)reassembly routines had half a brain. I would certainly
hope that FW-1 is included in this category.
However, I could almost bet that those small "integrated firewall"
modems that sell for pocket change will let it right through.
Plain packet filtering routers won't help you either.
$.02
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
