[sorry, I'm months behind on this list :-)]
> Maybe. An attacker might be able to send what looks like an innocent
> IP & TCP header with the SYN bit clear and the ACK bit set (so it can
> get through an established connection filter), then follow it with a
> fragment with an offset of 1 (i.e. 8 bytes into the TCP header) and
This is easy to implement, but I have not yet seen a fragment
re-assembly implementation that would be fooled by this. In BSD for
instance fragments have leading overlay trimmed and overwrite trailing
overlay.
Ie.
[frag 0 with ACK and no SYN]
[frag 1 with ACK and SYN]
does not matter what order the fragments arrive, it builds a packet
with ACK and no SYN which gets a RST from the target.
While I don't have source to other implementations, the observed
behaviour of the ones I have access to suggest they behave the same
way.
Of course you could simply just send a frag 0 that does not contain
TCP flags and a router _may_ let that through. Dropping all frag 0's
with less than TCP header is a good idea.
--sjg
Follow-Ups:
|
|
