[12367] in bugtraq
Blocking IP Options (was Re: Remote DoS in Axent's Raptor 6.0)
daemon@ATHENA.MIT.EDU (kadokev@MSG.NET)
Thu Oct 28 13:52:06 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <19991028160902.6213.qmail@msg.net>
Date: Thu, 28 Oct 1999 11:09:02 -0500
Reply-To: kadokev@MSG.NET
From: kadokev@MSG.NET
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <532C1F31381FD211A8AF006097D3EC26BA1818@exchange.Tessco.com> from
"Kuff, Hal" at "Oct 28, 1999 6: 3:33 am"
> Can anyone point me to some info on blocking ip options?
> A search of cisco's site and dejanews does not show anything.
>
> Hal Kuff
> TESSCO Technologies
IOS has support for blocking a few IP Options, including source route and
IP security, however the PIX firewall seems to be the only Cisco product that
appears to block the more obscure options.
Darren Reed's IP Filter, (see http://newcoombs.anu.edu.au/~avalon/ for details)
is a free packet filter as a loadable kernel module, runs on many Unix
platforms, and is included in the current (Free|Net|Open)BSD distributions.
IP Filter (ipf) can block IP Options and all short fragments. Where I have
installed ipf, the ipf.rules file usually begins with:
block in quick from any to any with short frag
block in quick all with ipopts
I usually then go on to block spoofed packets, including the RFC 1597 source
addresses, and for the truly paranoid, any packets claiming the 127. network
exists on other than the loopback interface.
Kevin
