| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <08cc01c3c005$2471c0b0$6e811299@HURON> Date: Thu, 11 Dec 2003 08:38:00 -0800 From: "David Gillett" <gillettdavid@...a.edu> To: "'Michal Zalewski'" <lcamtuf@...ttot.org>, <bugtraq@...urityfocus.com> Cc: <full-disclosure@...sys.com> Subject: RE: A new TCP/IP blind data injection technique? > -----Original Message----- > From: Michal Zalewski [mailto:lcamtuf@...ttot.org] > <snip> > 1. Path MTU discovery (DF set) prevents fragmentation [*]; some modern > systems (Linux) default to this mode - although PMTU discovery is > also known to cause problems in certain setups, so it is not always > the best way to stop the attack. > > [*] Also note that certain types of routers or tunnels tend to > ignore DF flag, possibly opening this vector again. <snip> > Note that this has nothing to do with old firewall bypassing techniques > and other tricks that used fragmentation to fool IDSes and so on - > mandatory defragmentation of incoming traffic on perimeter devices will > not solve the problem. I concluded some time back -- coming at it from an entirely different angle from either of these -- that IP-layer fragmentation and reassembly was fatally flawed. All sane implementations should set DF, and all but the most secure of tunnels should honour it. David Gillett
Powered by blists - more mailing lists