[Please, no flames, I know this is in no way new]
Joao Carlos Cascao wrote:
>
> I read somewhere that non-first IP fragment packets always get through
> cisco ACL's.
>
> Only the first fragment contains header information from higher level
> protocols (like TCP and UDP) that is used by ACL's to perform packet
> filtering. All the subsequent fragments contain the IP
> header (with src and dest IP's) and data to be reassembled provided
> you have the 1st packet.
>
> If the first packet never got through (blocked by ACL) the others will be
> fairly harmless but can be used for some sort of denial of service attacks.
>
I think you are downplaying the import of stateful inspection and
packet (pseudo-)reassembly.
I'm suspecting that most stateless packet filters are vulnerable to the
overlapping fragment attack whereby you can bypass ACLs if there is an
"established" rule.
What you do is send a first fragment that you know will be allowed,
f.i. a packet with SYN=0 and ACK=1 to a port >1023.
Then you send another fragment that overlaps the first, starting
at byte 8. This allows you to overwrite the flags field, and
change it to SYN=1 and ACK=0, which will not be detected by the
router, but WILL be reassembled into a complete packet
with SYN=1 and ACK=0 by the destination host, which will begin
forming a new connection.
At this point you have successfully formed a new connection
on a port where you should not be allowed to form new connections.
Of course, in Bill's setup he'd be safe since there's a firewall
in the way that hopefully handles the issue for him. That is,
unless he's using the network between the firewall and the router
as a DMZ. >:]
Just my $.02
/Mikael Olsson
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]