|
Bugtraq
mailing list archives
RE: A new TCP/IP blind data injection technique?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 11 Dec 2003 08:38:00 -0800
-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf () ghettot org]
<snip>
1. Path MTU discovery (DF set) prevents fragmentation [*]; some modern
systems (Linux) default to this mode - although PMTU discovery is
also known to cause problems in certain setups, so it is not always
the best way to stop the attack.
[*] Also note that certain types of routers or tunnels tend to
ignore DF flag, possibly opening this vector again.
<snip>
Note that this has nothing to do with old firewall bypassing techniques
and other tricks that used fragmentation to fool IDSes and so on -
mandatory defragmentation of incoming traffic on perimeter devices will
not solve the problem.
I concluded some time back -- coming at it from an entirely different
angle from either of these -- that IP-layer fragmentation and reassembly
was fatally flawed. All sane implementations should set DF, and all but
the most secure of tunnels should honour it.
David Gillett
 By Date 
By Thread
Current thread:
- Re: A new TCP/IP blind data injection technique?, (continued)
RE: A new TCP/IP blind data injection technique? Michael Wojcik (Dec 11)
| 
Intro
