What is even more fun is trying to send a packet requiring fragmentation
from Linux through a firewall! A small snippet in the kernel source
shows that linux will fragment a packet and send the LAST fragment
first, for various reasons that I don't completely understand. This
means that the first fragment of a packet from a linux host will have no
layer 4 info! What is a firewall supposed to do with that other then
hold it in memory, and use some kind of timers and DoS checking code in
the firmware? I only dealt with this on the Netscreens, and they
currently pass the fragments through for this reason if I remember
correctly. This isn't perfect, but not too bad, because the host can
most likely handle this better then a firewall handling thousands of
connections for all hosts with a limited memory capacity.
David
Nimesh Vakharia wrote:
>
> I am curious how the PIX handles this exploit.
>
> The exploit is Checkpoint reassembles fragmented packet before forwarding.
> But it does not inspect the packet in any way until it has completely
> built the packet... so you can keep sending multiple fragments and it
> keeps reassembling, using up system resources and probably crash at one
> point. Checkpoint supposedly does not check against its rule base
> (conduit/statics in PIX) when it receives a fragmented packet!
>
> I vaguely remember that the PIX ignores the first fragment of the
> entire series (if it maches the rules) and forwards everything after that.
> This way irrespective of how malicious the fragment is, it never gets
> built at the host end....Can anyone confirm as to how the PIX handles
> fragmented packets?
>
> BTW: Check out
> http://www.enteract.com/~lspitz/fwtable.html
>
> This really shows how much work need to be done on firewall code!
> - Stateful monitoring is a joke
> - No inspection on sequence nos.
> - Fragments!
>
> Nimesh.
>
> On Fri, 9 Jun 2000, Richard Holland wrote:
>
> > This is a bit off-topic, but I recall a discussion of using Checkpoint
> > firewall, and thought I'd share a SANS security newsletter concerning
> > checkpoint.
> >
> > "It's possible to use various fragmented packets (such as those generated by
> > Jolt2.c) to cause the firewall to crash or operate at 100% CPU utilization.
> > Firewall rules are ineffective for defense. More information is in this
> > issue as item {00.24.025} ("Check Point FireWall-1 fragmentation DoS")."
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
