[2155] in bugtraq
Re: DO NOT USE THAT PATCH (Re: IP firewalling bugs)
daemon@ATHENA.MIT.EDU (Tom Fitzgerald)
Thu Aug 24 01:15:35 1995
Date: Wed, 23 Aug 1995 23:17:44 EDT
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Tom Fitzgerald <fitz@wang.com>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199508231959.PAA09808@Collatz.McRCIM.McGill.EDU>; from "der
Mouse" at Aug 23, 95 3:59 pm
> Seems to me that there's no reason to use the "new" data rather than
> the "old" data when a new fragment arrives that overlaps
> already-collected data. They're supposed to be the same; any
> difference indicates that at least one of them is definitely corrupted
> in a way that beat the checksum, or else you're under attack. In
> either case, dropping both the incoming packet and the collected
> fragments is probably the best response, seems to me.
Granted....
> If you don't want to compare the bytes, then just make sure old data
> takes precedence over new.
No, this fails if the attacker sends the offset=1 frag first (bypassing the
filter) and the offset=0 frag second (which the filter accepts, and the
defragmenter throws away). The only safe scheme is always to use the data
in the fragment that has the smaller fragment-offset, regardless of the
order of arrival.
Throwing away fragments with offset=1 is also a real good idea.
--
Tom Fitzgerald 1-508-967-5278 Wang Labs, Billerica MA, USA fitz@wang.com
