Firewalls: Re: IP spoofing

Firewalls
(September 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: IP spoofing
From:	robp @ anubis . network . com (Rob Peglar)
Date:	Mon, 23 Sep 1996 08:15:03 -0500 (CDT)
To:	ben @ edelweb . fr (Ben)
Cc:	firewalls @ greatcircle . com
In-reply-to:	<Pine . SUN . 3 . 95 . 960923100511 . 10628A-100000 @ mercier . gctech . edelweb . fr> from "Ben" at Sep 23, 96 10:06:31 am

Only if your rules are lax enough to allow IP headers with length
less than 20 bytes.  It's good practice to toss/log/alarm all such packets.

E.g. 

filter badhdr
  not ip_datagram_length in (20..65535) alarm 8 fail; end

Rob

> An attacker can use a packet fragmentation technique to get a spoofed
> packet behind your filter rules by using a set of packet fragments that
> when separate would not trigger your rules, but when assembled would have 
> a spoofed address.  


-- 
Rob Peglar		Network Systems Corporation
robp @
 network .
 com	7600 Boone Ave N.  Mpls. MN 55428
612.391.1028		612.391.1358 (fax)

Follow-Ups:

Re: IP spoofing
From: Darren Reed <avalon @ coombs . anu . edu . au>

References:

Re: IP spoofing
From: Ben <ben @ edelweb . fr>

Indexed By Date	Previous:	The Netscape Proxy From: "Morgan, Bill" <MorganB @ dbisna . com>
Indexed By Date	Next:	RFC's by email? From: SOBRIEN @ MAIL . STATE . WI . US
Indexed By Thread	Previous:	Re: IP spoofing From: Ben <ben @ edelweb . fr>
Indexed By Thread	Next:	Re: IP spoofing From: Darren Reed <avalon @ coombs . anu . edu . au>