[20116] in bugtraq
Re: A fragmentation attack against IP Filter
daemon@ATHENA.MIT.EDU (Thomas Lopatic)
Mon Apr 9 21:20:56 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-ID: <5.0.2.1.2.20010409140226.00b444c8@lopatic.de>
Date: Mon, 9 Apr 2001 14:12:22 +0200
Reply-To: Thomas Lopatic <thomas@LOPATIC.DE>
From: Thomas Lopatic <thomas@LOPATIC.DE>
X-To: Manuel Bouyer <bouyer@antioche.lip6.fr>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010409103028.B20422@antioche.eu.org>
Hi there,
>Looking at the ipf code (3.4.9, the one inclued in NetBSD 1.5), it looks
>like an entry is added to the decision cache only if the packet
>matches a rule with 'keep state' or 'keep frags'. So a ruleset without
>any 'keep state'/'keep frags' should not be vulnerable.
>Or did I miss something ?
For the packet filtering code you are perfectly right. The advisory should
have said so. Still, the NAT code seems to also add entries to the decision
cache. Unfortunately I do not currently have the time to take a closer look
at the NAT code, so I do not know about the implications of this for packet
filtering.
If you find anything interesting in there let us know. :-)
-Thomas
