Hi! I sent a post on bugtraq few weeks ago. http://online.securityfocus.com/archive/1/267850 Since that time, somobody asked me if the fragment vulnerability I mentioned was really something to blame NPF of, or not. The question is: "are you sure that is technically possible to avoid the jolt2 fragment in an affected windows box without re-implementing a new TCP stack?" More details on this are available in the following bugtraq post: http://online.securityfocus.com/archive/1/62170 In particular, the following is said near the end of the post: * If the proxy firewall is running on a vulnerable OS and doesn't have its own network layer code (relies on the MS stack), the attack will DoS the firewall itself, effectively DoSing your entire connection. I did some more tests and I found that the claim on the post quoted is not entirely correct. A program running on the affected machine can AVOID jolt2 with no need for its own network layer code. Actually, I even found some more about NPF 2002. The step by step testing I did follows: I tried to create two rules (one for TCP and UDP and one for ICMP) to block ANY packet from my attacking IP (using System Wide Settings and the most strict setting I could find). My guess was: if blocking all traffic from that IP would block the jolt2 attack, then the NPF's claim to block IP fragment is false (let's say "incomplete"). The jolt2 was NOT blocked. I tried again my SYN/FIN scan (with the aforementioned rules turned on) and the scan was STILL working. So my *idea* is: NPF applies rules ONLY on TCP packets with only SYN flag on. Please let me highlight it: I said to NPF to block ALL TCP, UDP, ICMP traffic from a certain IP and STILL SYN/FIN scan and jolt2 succeded (Note: no way to block different protocols apart from these three). So, about the jolt2 issue: still was not clear if a personal firewall was possibly technically able to block jolt2. I did an other test. I removed NPF from the affected system (Windows 2000 with no patch or SP) and installed our personal firewall. Our personal firewall, called "Pc Protection" ( http://www.pcprotection.it ) is a newborn product and does not have "detect portscan" feature or "block fragment" feature yet. It's NDIS layer filter. The guess was: if our personal firewall can block jolt2, then you can place a personal firewall in Windows 2000 stack to prevent the jolt2 kind of fragments. Note that our personal firewall does NOT provide its own TCP/IP stack. I again created an "ad hoc" rule to block all traffic from the attacker IP and (put proudness here...) the computer didn't hang! So, I hope this tests are what you were looking for. Please feel free to contact me for further help. Best regards, Alfonso Vendor URL: =========== You can visit the vendors webpage here: http://www.symantec.com/sabu/nis/npf/ DISCLAIMER ========== The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. /****** Alfonso Fiore - Security Consultant Secure Edge srl - your safety .net http://www.secure-edge.com ******/
This archive was generated by hypermail 2b30 : Mon Apr 29 2002 - 18:14:47 PDT