Firewalls: Re: IP Masquerading and vulnerabilities

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: IP Masquerading and vulnerabilities
From:	peter @ baileynm . com (Peter da Silva)
Date:	Sat, 13 Jul 1996 11:29:03 -0500 (CDT)
To:	cosmo @ ebs . net (Craig Brozefsky)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<Pine . LNX . 3 . 91 . 960712193026 . 31031B-100000 @ gilligan . ebs . net> from "Craig Brozefsky" at Jul 12, 96 07:45:56 pm

> 1. Fragmenting packets so that port information is passed in second
>    packet and the filter only looks at first so it lets it go thru.  I 
>    know this is a possibility with various packet filtering firewalls on 
>    the market now.  Linux 2.0 has an option to re-assemble all fragmented 
>    packets going thru it before applying the filter which stops it.

Or just block packets that are too short to hold all the options. If you try
and reassemble all the fragments that opens you up to a denial of service
attack, and there really isn't any legitimate need to have packets that
short.

Follow-Ups:

Re: IP Masquerading and vulnerabilities
From: Craig Brozefsky <cosmo @ ebs . net>
Re: IP Masquerading and vulnerabilities
From: Mike Shaver <shaver @ neon . ingenia . ca>

References:

IP Masquerading and vulnerabilities
From: Craig Brozefsky <cosmo @ ebs . net>

Indexed By Date	Previous:	RE: Dirty Dogs From: Shane T Kinsch <shane . kinsch @ brite . com>
Indexed By Date	Next:	Re: udp 137 broadcast from Win95 PC From: Eric Wieling <ewieling @ hephaestus . icorp . net>
Indexed By Thread	Previous:	IP Masquerading and vulnerabilities From: Craig Brozefsky <cosmo @ ebs . net>
Indexed By Thread	Next:	Re: IP Masquerading and vulnerabilities From: Mike Shaver <shaver @ neon . ingenia . ca>