Security (was comcast thread)
Aaron
aaron at aarons.net
Fri Jan 25 18:42:56 CST 2002
> One of the fairly useful approaches to circumventing firewalls...
>
> IIRC, with linux, setting the ip_always_defrag
> (/proc/sys/net/ipv4/ip_always_defrag) flag in the kernel will render most
of
> these attacks useless, as the kernel assembles all packet fragments BEFORE
> applying firewall rules, rather than blindly passing packet fragments.
> Anyone actually tried this ITRW to see what happens?
I haven't tried it, but I will and let you know how it works.
> Was this using the packet-fragment trick, to overwrite portions of the IP
> header, or some other trick?
No, we set the ACK flags to trick the firewall into thinking it was an
acknowlagement to a previous request.
>
> Out of curiosity, what sort of firewall were you running when testing
this?
IPChains, CISCO Access Lists and the XP firewall is all we used it against.
We're going to move up the sophistication level of the targets next week.
>
> If the firewall was linux based, did you try setting the above flag and
> seeing what happened?
No, I didn't set the above flag. I will. Thanks for the suggestion. Of
course, you're right. If the firewall itself reassembles the packets before
it examines them then the method is useless. Also, if you're using a
stateful firewall the ACK method is useless as well. Unfortunately, the
home gateway products (like the Linksys, and Dlink) are neither of these.
Aaron
More information about the Kclug
mailing list