Re: streams of fragments...

From: Dug Song (dugsongat_private)
Date: Wed Jul 18 2001 - 11:51:52 PDT

  • Next message: Brian McWilliams: "Re: "Code Red" worm questions"

    On Wed, Jul 18, 2001 at 01:10:14PM -0400, Jose Nazario wrote:
    
    > a lot of sites block fragments to no great loss of theirs. in this
    > day and age it's usually not needed.
    
    this really depends on your site's normal traffic, and whether you've
    actually measured enough of it to make a reasonable decision:
    
    	http://www.caida.org/outreach/papers/pam2001/fragmentation.xml
    
    there are better ways to handle fragments at a security gateway than
    just to drop them - see the OpenBSD packet filter's IP normalization
    code for details.
    
    -d.
    
    ---
    http://www.monkey.org/~dugsong/
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 13:50:49 PDT