[65643] in North American Network Operators' Group
Re: Firewall stateful handling of ICMP packets
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Dec 3 23:00:53 2003
To: Owen DeLong <owen@delong.com>
Cc: Sean Donelan <sean@donelan.com>, nanog@merit.edu
In-Reply-To: Your message of "Wed, 03 Dec 2003 15:57:37 PST."
<2147483647.1070467057@imac-en0.delong.sj.ca.us>
From: Valdis.Kletnieks@vt.edu
Date: Wed, 03 Dec 2003 22:53:51 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_378566303P
Content-Type: text/plain; charset=us-ascii
On Wed, 03 Dec 2003 15:57:37 PST, Owen DeLong <owen@delong.com> said:
> around. (In fact, I'm hard pressed to imagine how a Frag needed packet
> for an invalid session could do much of anything).
You can use a forged 'frag needed' to stomp an existing connection of the
victim's down to 64 byte MTU or similar silliness, but other than sheer
"it's a packet" DDoS effects, I can't think of a malicious use for one for
an invalid session either....
--==_Exmh_378566303P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE/zq/PcC3lWbTT17ARAo1MAKDXI0ekHQ9B1i/fX/iTle5exLshbgCg763z
ks3fcYX3gV0DRqYaSxIMgyQ=
=nubt
-----END PGP SIGNATURE-----
--==_Exmh_378566303P--
