Re: DO NOT USE THAT PATCH (Re: IP firewalling bugs)

Tom Fitzgerald (fitz@wang.com)
Wed, 23 Aug 1995 23:17:44 EDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dr. Frederick B. Cohen: "-rw-rw-rw- 1 root 8025 Aug 24 04:10"
Previous message: der Mouse: "Re: DO NOT USE THAT PATCH (Re: IP firewalling bugs)"
In reply to: der Mouse: "Re: DO NOT USE THAT PATCH (Re: IP firewalling bugs)"

> Seems to me that there's no reason to use the "new" data rather than
> the "old" data when a new fragment arrives that overlaps
> already-collected data.  They're supposed to be the same; any
> difference indicates that at least one of them is definitely corrupted
> in a way that beat the checksum, or else you're under attack.  In
> either case, dropping both the incoming packet and the collected
> fragments is probably the best response, seems to me.

Granted....

> If you don't want to compare the bytes, then just make sure old data
> takes precedence over new.

No, this fails if the attacker sends the offset=1 frag first (bypassing the
filter) and the offset=0 frag second (which the filter accepts, and the
defragmenter throws away).  The only safe scheme is always to use the data
in the fragment that has the smaller fragment-offset, regardless of the
order of arrival.

Throwing away fragments with offset=1 is also a real good idea.

--
Tom Fitzgerald   1-508-967-5278   Wang Labs, Billerica MA, USA   fitz@wang.com

Next message: Dr. Frederick B. Cohen: "-rw-rw-rw- 1 root 8025 Aug 24 04:10"
Previous message: der Mouse: "Re: DO NOT USE THAT PATCH (Re: IP firewalling bugs)"
In reply to: der Mouse: "Re: DO NOT USE THAT PATCH (Re: IP firewalling bugs)"