On Thu, 11 Apr 2002, Mikael Olsson wrote:
> Then AGAIN, linux machines deliver all fragments "backwards",
Yep, the stack is um..."quirky" in behaviour. Fixing it isn't easy either
:(
> > Not everyone was asked- a lot of OSen weren't used for Web
> > servers back then, and some of those that were aren't used
> > much at all anymore.
>
> By the way, did you know that you can DoS fragment reassembly on an
> entire LAN of NT4SP0--5 machines (I believe Win2K without servicepacks
> too) through the bandwidth equivalent of a 300bps modem and still have
> enough bandwidth for a (laggy) IRC session? :)
Hmmm, I assume broadcast addressed frags?
> However, I guess I must admit that this got better in NT4SP6
> and W2KSP[n].
>
>
> > That's true of anything that may see duress, however your "if" isn't even
> > close to the norm. It'd be interesting if all the firewall vendors
> > published known bugs/kloc specs for their development teams.
>
> "For their development teams to see" or "for anyone to see"?
> (And what's a "kloc"? :))
"For anyone to see," and thousand lines of code.
> Don't hold your breath :P
>
> However, I'd also like to see that stream cross more than two
> routers without losing packets, thus making it impossible to log
> it accurately. ... but now we're crossing into IDS territory.
Do I get to pick what qualifies as a "router?" ;)
> Hrm... I believe I started out attacking the proxy architecture.
> How on earth did you manage to turn this around and put me in a
> defensive position? I must be getting slow.
It's a skill ;)
> Let's see now, what more mud slinging can I do.. Oh yeah, Barbie(tm)
> software with buffer overruns in it, pre-installed on proxies!
Instantiation problem, not architectural (though the dweeb who allowed it
should have been shot right before the marketing m0r0n who thought it was
a good idea.)
> And sendmail used as mail proxy! And BIND as DNS proxy!
I haven't run Sendwhale in about 8 years, so I'll counter with Postfix as
an SMTP proxy. And I'll up your BIND to BIND 9 ("|grep vixie" returns
null.) and accept it on the box as a client, but not as a proxy-- since
that's not _necessary_ in a proxy-only scenerio. Now, let's take a
resolver problem, and see how many "protected" machines need patching in
each scenerio...
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
