folx, wrt denial of service and stateful packet filters and frags: is there a reason why people don't do fragment reassembly in the kernel prior to analysing/forwarding the packet? many unix variants (including linux) will do this and thereby protect your stateful packet filter (a funny notion that it needs protection) from fragmentation denial of service attacks. what am i missing here? On Wed, 2 Aug 2000, Paul D. Robertson wrote: > > wrt denial of service - it goes without saying that a stateful inspection > > firewall can be locked up with a simple state holding attack, such as > > Lance Spitzner's frag flood, or something more evil: > > Not just stateful firewalls have trouble with frag floods- some vendors' > OS still have trouble too. In that case, ALG's on those systems will fall > over or stop passing traffic. todd - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
- Re: Checkpoint Vulnerabilities??? Paul D. Robertson
- RE: Checkpoint Vulnerabilities??? Robert Stanley
- Re: Checkpoint Vulnerabilities??? Jerald Josephs
- Re: Checkpoint Vulnerabilities??? Paul D. Robertson
- RE: Checkpoint Vulnerabilities??? Robert Stanley
- RE: Checkpoint Vulnerabilities??? mouss
- RE: Checkpoint Vulnerabilities??? Paul D. Robertson
- Re: Checkpoint Vulnerabilities??? Dug Song
- Re: Checkpoint Vulnerabilities??? Mikael Olsson
- Re: Checkpoint Vulnerabilities??? Paul D. Robertson
- Re: Checkpoint Vulnerabilities??? Todd
- Re: Checkpoint Vulnerabilities??? Paul D. Robertson
- Re: Checkpoint Vulnerabilities??? mouss
- Re: Checkpoint Vulnerabilities??? Paul D. Robertson
- Re: Checkpoint Vulnerabilities... Todd
- Re: Checkpoint Vulnerabilities... Chris Brenton
- Re: Checkpoint Vulnerabilities... mouss
- Re: Checkpoint Vulnerabilities... Ron DuFresne
- Re: Checkpoint Vulnerabilities... mouss
- Re: Checkpoint Vulnerabilities??? Marcus J. Ranum
- Re: Checkpoint Vulnerabilities??? Paul D. Robertson
