RE: streams of fragments...

From: Portnoy, Gary (gportnoyat_private)
Date: Wed Jul 18 2001 - 11:47:09 PDT

  • Next message: Johannes B. Ullrich: "RE: "Code Red" worm questions"

    There wouldn't be any harm in blocking all fragmented packets, unless your
    users VPN in.  I know that certain VPN protocols encapsulate the IP data,
    creating packets larger than the Ethernet MTU of 1500.  This causes the
    packet to be fragmented.  Just a word of advice: be careful.  Sniff your
    network to make sure that you don't normally generate or receive fragmented
    packets...
    
    -Gary-
    
    -----Original Message-----
    From: Jose Nazario [mailto:joseat_private]
    Sent: Wednesday, July 18, 2001 1:10 PM
    To: Gamble
    Cc: Russell Fulton; incidentsat_private
    Subject: Re: streams of fragments...
    
    
    On Wed, 18 Jul 2001, Gamble wrote:
    
    >  This sounds like a DOS attack.  By sending you many fragmented
    > packets the attacker could consume a lot of the memory on your
    > machine.  You could counter this by blocking all IP fragments on your
    > firewall, but that would also prevent legitimate activities.
    
    a lot of sites block fragments to no great loss of theirs. in this day and
    age it's usually not needed. i found this out some years ago helping a
    friend with a Linux firewall on his PPP link. his ISP had a PPP MTU of
    about 576, but his ethernet frames were set to an MTU 1500, and your
    guessed it, he generated fragments. some sites were totally inaccessible
    until he tuned down his MTU to under 576 on his internal ethernet LAN.
    
    they're big names, but i wont post them here. *shrug* block fragments is
    not that bad to do these days.
    
    ____________________________
    jose nazario						     joseat_private
    	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
    				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 13:40:28 PDT