Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] IPChains
  • From: Roman Drahtmueller <draht@xxxxxxxxxxxxxxx>
  • Date: Mon, 29 May 2000 05:25:15 +0200 (MEST)
  • Message-id: <Pine.LNX.4.21.0005290422410.27006-100000@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> There I was writing quicker than I was with reading. :(
> Fragmented ICMP packets aren't (necessarily) corrupted. But I
> had in mind an Bugtraq article of the last days where a cracker
> misused artificially wrongly fragmented ICMP to fool TCP stacks.
> It seems to be necessary to always defragment everything on a
> firewall. Trying to cut corners often turns out to fail sooner
> or later. And by employing path MTU discovery fragmentation
> should even become uncommon and avoidable. Maybe one even should
> drop fragmented packets in general, as well as too short packets
> to be real and source routed packets where the workstation (or
> origin) thinks to be more clever than the routers about routing?
> virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
> Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx

Hi Gerhard,

It is necessary to always defragment on a firewall, because you may not be
able to tell what an IP packet actually contains.
A non-defragmenting port filtering firewall can only apply the rules to
the TCP/UDP header data in the first fragment. All following fragments may
or may not belong to an existing connection (TCP), but the filter can't
tell if it doesn't defragment. This is why non-defragmenting filters
should let all fragments other than the first one pass. The cost of
maintaining a list of saddr+daddr/first frag passed the filters justifies
general defragmentation.

Now there's an old trick: Make the fragments so small that even the TCP
headers don't fit in in full length. If you don't have the header of a
packet, you can't filter it by ports. (Keep in mind that fragmentation
happens in the IP-layer, not in the TCP/UDP/ICMP/...-layer.) Either you
drop a fragment with offset 0 that isn't long enough for a complete TCP,
UDP, ICMP, ... header and accept all other frags, or you reassemble the
whole datagram before you route it somewhere. The latter is recommended
(and necessary for Linux), despite the performance drawback.

The thing with MTU discovery: If it works, it maximizes your network
throughput, if it doesn't, people will say that this O/S has a "slow"
network/IP implementation. MTU discovery doesn't cause a security problem,
but admins who filter _all_ ICMPs cause an MTU discovery problem (among
others). Keeping to the standards still leaves you enough room for
configuration and is not neccessarily a contradiction to security.

Dropping fragmented packets is definitely not an option. It violates the
standards, and it will make your firewall/filter somewhat unusable (you'd
f.ex. notice that interactive session protocols such as ssh and telnet
(and ftp-control connection) work fine, but others (http, ftp-data) don't
because the packets sent are big enough to need fragmentation). Redefining
the standards is an option, though...

The source routed frames thing you mention is important!

_ _
| Roman Drahtmüller "The best way to pay for a |
CC University of Freiburg lovely moment is to enjoy it."
| email: draht@xxxxxxxxxxxxxxx - Richard Bach |
- -

< Previous Next >