[20119] in bugtraq
Re: A fragmentation attack against IP Filter
daemon@ATHENA.MIT.EDU (Manuel Bouyer)
Mon Apr 9 21:35:12 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010409103028.B20422@antioche.eu.org>
Date: Mon, 9 Apr 2001 10:30:28 +0200
Reply-To: Manuel Bouyer <bouyer@ANTIOCHE.LIP6.FR>
From: Manuel Bouyer <bouyer@ANTIOCHE.LIP6.FR>
X-To: Thomas Lopatic <thomas@LOPATIC.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5.0.2.1.2.20010409000933.00b69eb8@mail.shagpoint.org>; from
thomas@LOPATIC.DE on Mon, Apr 09, 2001 at 12:16:14AM +0200
Hi,
On Mon, Apr 09, 2001 at 12:16:14AM +0200, Thomas Lopatic wrote:
> [...]
>
> Details
> -------
>
> When IP Filter evaluates the rule-base for an IP fragment and decides
> whether to pass it or block it, this decision is saved in a "decision
> cache" together with the fragment's IP ID, protocol number, source
> address and destination address fields.
Looking at the ipf code (3.4.9, the one inclued in NetBSD 1.5), it looks
like an entry is added to the decision cache only if the packet
matches a rule with 'keep state' or 'keep frags'. So a ruleset without
any 'keep state'/'keep frags' should not be vulnerable.
Or did I miss something ?
--
Manuel Bouyer <bouyer@antioche.eu.org>
--
