Re: Fragmentation Question

[justin.lister () csfb com (Lister, Justin)]

[IDS Admin:  I have forwarded this message to the list it is from Darren
Reed]

From: Darren Reed <darrenr () reed wattle id au>
Message-Id: <199910141250.WAA01605 () avalon reed wattle id au>
Subject: Re: IDS: Fragmentation Question
In-Reply-To: <Pine.LNX.4.10.9910131653070.31063-100000 () 7of9 neohapsis com>
from Greg Shipley at "Oct 13, 99 05:22:52 pm"
To: gshipley () neohapsis com (Greg Shipley)
Date: Thu, 14 Oct 1999 22:50:10 +1000 (EST)
Cc: ids () uow edu au
X-Mailer: ELM [version 2.4ME+ PL37 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

In some email I received from Greg Shipley, sie wrote:
[...]
> 1. Deny all fragments into the network.  I see this is a bad idea, but I
> do wonder, how many "natural" fragmented packets appear natively on the
> Internet.  I would imagine a fair amount, but I don't have the slightest
> idea how to hunt down statistics on this.

Don't know about the internet, but internal LAN's (where you may also want
your IDS to operate) should expect a large number - protocols such as NFS
over UDP generate a large number of fragments (8k writes into 1500 byte
packets type thing).

> 2. Have some perimeter device re-assemble fragmented packets BEFORE they
> get to the IDS.  Two options: the router, or the firewall, yeah?  Now, in
> a multi-homed, multi-router environment, IMHO, forcing re-assembly is NOT
> an option (fragmented packets could come in from two or more directions).

> This leaves the firewall, and I'm not even going to open the can of worms
> surrounding firewall load balancing.
>
> So let's assume a single firewall.  Who does this?

Linux can (option called IP_DEFRAG_ALWAYS, I think).

> I did some digging
> with Checkpoint, and they do (ready for this?) "virtual packet
> re-assembly."  That is, according to their documentation, they will
> re-assemble the packet for purposes of inspection, but then transmit the
> fragments back out of the interface.  So fragments in -> fragments out.  
> I opened a trouble ticket with them, and the answer I got back was "No, we
> don't do packet re-assembly - can't be done."  Does anyone else have any
> info on this?

Use of Path MTU Detection is largely doing away with the appearance of
fragments on the Internet, today.  Most packets now have the "Don't
Fragment"
flag set in them, causing an ICMP error in response and the originating host
to use smaller packets with that destination (well that's the theory
anyway).

Attempting to reassembly packets exposes you to an easily exploitable DoS
attack - send lots of fragments which don't make up complete packets and
see how well memory is managed, basically :)

There's a bunch of good reasons (network theory) which point out why
reassembling packets on anything forwarding them is a bad idea unless
you want your network to pack up and go home.  I believe fragmentation
of IPv6 packets is not permitted.

Does that help ?

Darren