July 11th, 2002, 07:31 PM
Ive heard that the more destructive hackers out there can flood a system with fragmented IGMP packets and crash a firewall and if this is true why dont vendors put a block on this?
July 11th, 2002, 07:33 PM
They have, alot of firewalls just drop incomplete or fragmented packets.
July 11th, 2002, 07:48 PM
it's not the fragmented ICMP packet you have to worry about it is not DDoS attacks or DRDoS attack which are more of a problem. Check oout GRC.COM website to read Steve Gibson''s article on both of these attacks on his net by some folks. It is VERY informative...
Here's the link
My other Computer is a 4000 node Beowulf Custer
July 11th, 2002, 09:09 PM
DoS attacks on a firewall don't bypass them; they completely destroy them. it's a very noisy technique, and that is what many unskilled attackers do. if you want to know some quieter techniques for bypassing firewalls, go to http://neworder.box.sk/subject.php?s...%3E+Networking and read their three tutorials on getting around firewalls.
July 11th, 2002, 09:27 PM
yeah. ICMP and UDP packet's are generally the choice. If it's a massive attack, then your software will go to dirt. If it's hardware, your firewall will try to keep up but fail. I have zonealarm, and I've had it crash on me because of it. I lost all the logs.
July 11th, 2002, 09:36 PM
i think there are a number of issues that have been compiled together in the composed question.
the thread title indicates a circumvention, while the question illustrates a dos/ddos.
in days of old, ip frags (of any type of transport) was used to bypass ipfilters and _some_ firewalls - but these were not blasts, but rather pre-meditated and crafted attacks of minimal transaction.
there are a few scenarios that i am aware of that use igmp messsages with fragmentation as dos/ddos attacks. the general purpose being to either to eat up memory in the normal traffic based manner(not real effective) - or to create a mishandling in the tcp/ip stack. ie. illegal fragment offsets.
July 11th, 2002, 10:22 PM
Some software and hardware firewalls have an anti-DoS on. Zonealarm and Outpost is supoose to have one not unless there is a hole and you have something helping with the attack. I'd just suggest rather not log everything in a flood and just log off the internet then go back on in a few minutes or hours. Configuring the security correctly would help.
July 11th, 2002, 10:45 PM
In some hardware Firewalls, you can activate a anti-DoD function. The problem is that it puts a huge overhead on the Firewall and Management Console itself, as an enormous amount of logs get generated once you turn it on.
The way the anti-DoD function works, is that, in a nutshell, it relays or proxies the 3 way handshake. Basically, when you turn it on, instead of the client peforming the 3 way handshake with the host, the Firewall peforms the entire handshake process on it behalf.
There are a variety of different methods of this anti-DoD function, some put more of an overhead on the Firewall than others.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]