Home page logo

basics logo Security Basics mailing list archives

Reassembling IP packet Fragments w/o First Fragment
From: Mike Marcus <mmarcus () mbminfotech com>
Date: 13 Dec 2003 19:43:23 -0000

Denial of Service Attacks and Firewalls without Stateful inspection.

From what I understand most firewalls do not let through IP fragments until the first IP fragment (with TCP Header) is 
received.  I am told that a DOS can be launched by someone sending IP packets with the same IP header and never 
sending the first packet.

I read that one way alleviate this is to let the second and subsequent IP packets through and inspect the first packet 
only.  I also read that some can fool the firewall into thinking the 1st packet is a subsequent packet.  I  am also 
told that some implementations of TCP/IP will reassemble the packets once they all pass through the firewall.  This 
allows someone to send to a PC that is behind the firewall.

First, is the information above accurate?  And if so: 
How to I know what services / implementations of TCP/IP have the vulnerability and how do I make adjustments on Servers 
/ Workstations?  Also does Stateful inspection in the firewall relegate this to a non-issue?




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]