On Wed, 2 Aug 2000, Todd wrote:
> folx,
>
> wrt denial of service and stateful packet filters and frags:
>
> is there a reason why people don't do fragment reassembly in the kernel
> prior to analysing/forwarding the packet? many unix variants (including
If you're filtering, you really don't want that to hit your kernel- that's
expensive context-switch wise. Also, different stacks reassemble
differently (hence the "fool the IDS" games that have been swelling up for
a while.)
> linux) will do this and thereby protect your stateful packet filter
> (a > funny notion that it needs protection) from fragmentation denial of
> service attacks.
>
> what am i missing here?
If I frag flood your kernel, it has to worry about the same DoSability
that the firewall had- handling bad frags in time enough to not run out of
resources while still handling legitimate frags and non-fragged traffic.
It's a difficult thing to balance, that's why so many people get it wrong.
If you reassembled frags at a router, my guess is that you'd pretty
quickly get into router buffer tuning issues. Once again breaking the
"lowest common administrator" problem.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
