[65643] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Firewall stateful handling of ICMP packets

daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Dec 3 23:00:53 2003

To: Owen DeLong <owen@delong.com>
Cc: Sean Donelan <sean@donelan.com>, nanog@merit.edu
In-Reply-To: Your message of "Wed, 03 Dec 2003 15:57:37 PST."
             <2147483647.1070467057@imac-en0.delong.sj.ca.us> 
From: Valdis.Kletnieks@vt.edu
Date: Wed, 03 Dec 2003 22:53:51 -0500
Errors-To: owner-nanog-outgoing@merit.edu


--==_Exmh_378566303P
Content-Type: text/plain; charset=us-ascii

On Wed, 03 Dec 2003 15:57:37 PST, Owen DeLong <owen@delong.com>  said:

> around.  (In fact, I'm hard pressed to imagine how a Frag needed packet
> for an invalid session could do much of anything).

You can use a forged 'frag needed' to stomp an existing connection of the
victim's down to 64 byte MTU or similar silliness, but other than sheer
"it's a packet" DDoS effects, I can't think of a malicious use for one for
an invalid session either....

--==_Exmh_378566303P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQE/zq/PcC3lWbTT17ARAo1MAKDXI0ekHQ9B1i/fX/iTle5exLshbgCg763z
ks3fcYX3gV0DRqYaSxIMgyQ=
=nubt
-----END PGP SIGNATURE-----

--==_Exmh_378566303P--

home help back first fref pref prev next nref lref last post