[65645] in North American Network Operators' Group
Re: Firewall stateful handling of ICMP packets
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Dec 4 02:14:43 2003
Date: Wed, 03 Dec 2003 23:13:24 -0800
From: Owen DeLong <owen@delong.com>
To: Valdis.Kletnieks@vt.edu
Cc: Sean Donelan <sean@donelan.com>, nanog@merit.edu
In-Reply-To: <200312040353.hB43rpHA011864@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
--==========ADA5F35C410AC895844F==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
--On Wednesday, December 3, 2003 10:53 PM -0500 Valdis.Kletnieks@vt.edu=20
wrote:
> On Wed, 03 Dec 2003 15:57:37 PST, Owen DeLong <owen@delong.com> said:
>
>> around. (In fact, I'm hard pressed to imagine how a Frag needed packet
>> for an invalid session could do much of anything).
>
> You can use a forged 'frag needed' to stomp an existing connection of the
> victim's down to 64 byte MTU or similar silliness, but other than sheer
> "it's a packet" DDoS effects, I can't think of a malicious use for one =
for
> an invalid session either....
Agreed. However, the former pretty much requires knowledge, a lot of=20
packets,
or a really lucky set of guesses.
Owen
--=20
If it wasn't crypto-signed, it probably didn't come from me.
--==========ADA5F35C410AC895844F==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
iD8DBQE/zt6Un5zKWQ/iqj0RAuYVAJ9hUI5IppIGd2h946c4nMZftt1ztwCdFA1R
dBkzvG4ND+D/8Ca4qhGnGuA=
=VqoC
-----END PGP SIGNATURE-----
--==========ADA5F35C410AC895844F==========--
