|
-
July 11th, 2002, 07:31 PM
#1
Member
Firewall Bypass
Ive heard that the more destructive hackers out there can flood a system with fragmented IGMP packets and crash a firewall and if this is true why dont vendors put a block on this?
-
July 11th, 2002, 07:33 PM
#2
Banned
They have, alot of firewalls just drop incomplete or fragmented packets.
-
July 11th, 2002, 07:48 PM
#3
Senior Member
it's not the fragmented ICMP packet you have to worry about it is not DDoS attacks or DRDoS attack which are more of a problem. Check oout GRC.COM website to read Steve Gibson''s article on both of these attacks on his net by some folks. It is VERY informative...
Here's the link
http://grc.com/dos/drdos.htm
My other Computer is a 4000 node Beowulf Custer 
-
July 11th, 2002, 09:09 PM
#4
Member
DoS attacks on a firewall don't bypass them; they completely destroy them. it's a very noisy technique, and that is what many unskilled attackers do. if you want to know some quieter techniques for bypassing firewalls, go to http://neworder.box.sk/subject.php?s...%3E+Networking and read their three tutorials on getting around firewalls.
-Nitro-
-
July 11th, 2002, 09:27 PM
#5
Senior Member
yeah. ICMP and UDP packet's are generally the choice. If it's a massive attack, then your software will go to dirt. If it's hardware, your firewall will try to keep up but fail. I have zonealarm, and I've had it crash on me because of it. I lost all the logs.
-
July 11th, 2002, 09:36 PM
#6
Senior Member
i think there are a number of issues that have been compiled together in the composed question.
the thread title indicates a circumvention, while the question illustrates a dos/ddos.
in days of old, ip frags (of any type of transport) was used to bypass ipfilters and _some_ firewalls - but these were not blasts, but rather pre-meditated and crafted attacks of minimal transaction.
there are a few scenarios that i am aware of that use igmp messsages with fragmentation as dos/ddos attacks. the general purpose being to either to eat up memory in the normal traffic based manner(not real effective) - or to create a mishandling in the tcp/ip stack. ie. illegal fragment offsets.
-
July 11th, 2002, 10:22 PM
#7
Banned
Some software and hardware firewalls have an anti-DoS on. Zonealarm and Outpost is supoose to have one not unless there is a hole and you have something helping with the attack. I'd just suggest rather not log everything in a flood and just log off the internet then go back on in a few minutes or hours. Configuring the security correctly would help.
-
July 11th, 2002, 10:45 PM
#8
In some hardware Firewalls, you can activate a anti-DoD function. The problem is that it puts a huge overhead on the Firewall and Management Console itself, as an enormous amount of logs get generated once you turn it on.
The way the anti-DoD function works, is that, in a nutshell, it relays or proxies the 3 way handshake. Basically, when you turn it on, instead of the client peforming the 3 way handshake with the host, the Firewall peforms the entire handshake process on it behalf.
There are a variety of different methods of this anti-DoD function, some put more of an overhead on the Firewall than others.
SoggyBottom.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote