The only time I've heard of this attack being successful was when Winblows was unpatched. I know with linux syslogd will start spitting off some errors and if you have some counter measures in place, you can just have after X period, iptables (ipchains, ipfwadm, whatever) block the host off.
Although, your way does take less time on the box admins part :) -Jeff On Wed, 23 Jan 2002, Priscilla Oppenheimer wrote: > Perhaps to try to catch a hacker? Sending numerous IP fragments is a known > hacker technique. It can result in a denial of service because the host > doing the reassembling has to gather up the fragments and wait for them to > complete, which can cause buffer overruns and excess CPU usage. A hacker > could ping (or whatever) your router (or devices behind the router) with > fragments in an attempt to cause the recipient to slow down and possibly > stop doing its job. > > You would only want to have this filter on for a short time and use it for > logging purposes. Having it on indefinitely would make matters even worse. > > Other than that, I can't think of a use for such an ACL. > > Priscilla > > At 07:18 AM 1/23/02, bergenpeak wrote: > >Looking at extended ACLs I see there's an option to define ACL > >statements which can key on whether the IP packet contains a > >fragment. > > > >Besides for NAT purposes, could someone provide me with a scenario > >where one would need develop an ACL to key on IP packets carrying > >fragements? I'd be particularly interested in situations where one > >might want to block a TCP application and decided that one had to > >block traffic to the TCP port as well as fragments going to the server. > > > >Thanks > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33057&t=32922 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
