ipchains and packet fragmentation attacks - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: ipchains and packet fragmentation attacks

  1. #11
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    While it might sound all very easy you need to remember that you need to do this with every packet in the data stream which is less easy to manage. You would need an SSH client that would ignore or replace the port 22 with port 21 and appropriately fragment each packet into it's three sections in order for this to work.

    Doable? Yes. Trivial? Not really.

    Additionally, as you rightly point out, it might make it past the firewall but Snort and almost any other NIDS should start alarm bells jangling in an admin's head when it shows the offset framentation of packets.

    If I were presenting this I wouldn't try to demo it because of the complexity of trying it. Murphy's Law clearly states that it will work flawlessly until you are in the middle of the presentation to the board and then..... I would prefer to give a laymans explanation of the issue, why the firewall may fail to detect it and what the host will do with the remaining packets.

    A nice little mitigating factor might be used on servers that are publicly available. Employ IPSec to "Require Security" on all ports that are not publicly available but that provide service locally, (within the DMZ). That way anything that "finds it's way" past firewall rules still has the issue of negotiating IPSec via a Pre-Shared Key.... The result... No communication. Should work.... Need to test it in the morning.... Dunno why I never thought of it.... layers, layers, layers......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #12
    If I were presenting this I wouldn't try to demo it because of the complexity of trying it. Murphy's Law clearly states that it will work flawlessly until you are in the middle of the presentation to the board and then..... I would prefer to give a laymans explanation of the issue, why the firewall may fail to detect it and what the host will do with the remaining packets.
    Damn, aint that the truth! lol!

    Thank you for the input, Definately something to think about.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides