Home page logo
/

basics logo Security Basics mailing list archives

Re: Reassembling IP packet Fragments w/o First Fragment
From: Devilscrow Sr <devilscrow () gawab com>
Date: Tue, 16 Dec 2003 02:27:15 +0530

Hi Mike,

My comments inline.....

Mike Marcus wrote:

First, is the information above accurate? And if so:
How to I know what services / implementations of TCP/IP have the vulnerability and how do I make adjustments on Servers 
/ Workstations?  Also does Stateful inspection in the firewall relegate this to a non-issue?
Well the information used to be accurate till some time back. Most stateful firewalls and ids(s) available today can perform fragment reassembly.

Senario 1, the first frag is not sent where as all the other fragments have arrived and block up space on the rec(buff) while waiting for the first frag. This used to be a problem but most vendors have an easy answer to this, the problem can be rectified by reducing the fragment time wait parameter on your systems. Therefore reducing the time the packets will be retained in the static buffer, hence reducing the chance of having a dos condition.

Senario 2, does not exsist anymore... it has been rectified in most of the stateful inspection systems.

For more information you could read a very descriptive article available at www.securityfocus.com click on infocus and it should be there in the windows archives.

-dev

---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]