[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
- From: Michael Gale <michael@bluesuperman.com>
- Date: Mon, 15 Dec 2003 10:15:23 -0700
Hello,
Well first of all, one of the industry leading firewalls (
BorderWare Firewall Server ) does NOT pass fragmented packets.
Also netfilter / iptables has the following optio:
[!] -f, --fragment
This means that the rule only refers to second and further
fragments of fragmented packets. Since there is no way
to tell the source or destination ports of such a packet (or ICMP type),
such a packet will not match any rules which specify them.
When the "!" argument precedes the "-f" flag, the rule will
only match head fragments, or unfragmented packets.
I have a rule at the beginning:
iptables -A INPUT -f -j DROP
So all my firewall boxes and any I have setup for other companies DROP
fragmented packets.
Michael.
On Sun, 14 Dec 2003 10:24:55 +0100 (CET)
Michal Zalewski <lcamtuf@ghettot.org> wrote:
> On Sat, 13 Dec 2003, Michael Gale wrote:
>
> > Well then .. I am happy that non of the firewalls I use accept or
> > pass fragments packets.
>
> I would be willing to assume you are confused. Can you provide any
> references that would confirm this observation?
>
> --
> ------------------------- bash$ :(){ :|:&};: --
> Michal Zalewski * [http://lcamtuf.coredump.cx]
> Did you know that clones never use mirrors?
> --------------------------- 2003-12-14 10:24 --
>
> http://lcamtuf.coredump.cx/photo/current/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html