At 2:54 PM -0700 4/23/00, Dave Carmean wrote:
>How much packet fragmentation do folks see in "normal" Internet
>traffic? I.e. where path-MTU discovery hasn't been broken, etc.
>In other words: what should I expect if I were to simply disallow all
>inbound fragments?
>
>Also, at a BayLISA meeting last week, Brent mentioned something about
>fragmentation being used to bypass packet filtering by somehow re-writing
>part of the header during reassembly, and I think he mentioned this as
>being something that Mitnick did as part of attacking Shimomura's machine(s)?
>Was this just the result of a buggy IP stack somewhere interpreting the
>offset field as a signed integer or something equally stupid?
Actually, I think that you have two different parts of the discussion
run together. Simon Cooper (the speaker at the BayLISA meeting)
talked about how someone could use overlapping fragments to attack
badly implemented IP stacks. Later, somebody in the audience asked
how an attack with forged source IP addresses could be carried out,
given that the attacker wouldn't get the response packets back. I
explained that if the response packets were predictable enough (and
they usually are), then the attacker didn't need to see them, and
could hold up their end of the conversation just by guessing what
they were. I then mentioned in passing that this was part of how
Mitnick broke into Tsutomu's machine.
The point I was trying to make had nothing to do with fragmentation,
although fragment abuse is one of the ways you could forge a source
address, given a sufficiently broken IP stack on the target machine;
sorry if I didn't make that clear.
-Brent
--
Brent Chapman Great Circle Associates, Inc.
[EMAIL PROTECTED] http://www.greatcircle.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
