[We are talking about how to filter fragments in a secure manner. One
suggestion was to reassemble IP packets at the firewall. Darren Reed
describes the following denial of service attack for this scenario.]
> > Reassembling packets at the firewall surely is a cure for this problem.
> [...]
>
> It cures one problem, but introduces an exposure to a new problem:
> DOS attack on the firewall with fragments stopping all hosts, which
> would otherwise receive fragments or not, from operating due to buffer
> space shortage.
[...]
Thanks for pointing this out. I did not think of that.
But we might let the queued fragments time out quickly enough so that
we can give an upper limit to memory usage depending on the network
bandwidth present (a la SYN flood defence). This should also be taken
into account for application level firewalls, since they are vulnerable
to the same kind of denial of service attack, BTW.
I'd certainly accept the risk of a DOS attack if this would make the
access control of my firewall more stable, especially if the risk
can be minimized to nearly zero as suggested above. I do not see any
problems with reassembly apart from a possible impact on performance.
Reassembly is simply one step towards an application gateway. You lose
performance but you gain security.
-Thomas
--
Thomas Lopatic lopatic @
informatik .
uni-muenchen .
de
|
|
