|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Getting PING bombed...
On Mon, 20 Oct 1997, Chris A. Icide wrote: > Date: Mon, 20 Oct 1997 07:36:47 -0500 > From: "Chris A. Icide" <[email protected]> > To: [email protected], Doug Davis <[email protected]> > Cc: [email protected], [email protected], [email protected], [email protected] > Subject: Re: Getting PING bombed... > > If I remember right, and I think I do, Cisco filtes will not reconstruct a > fragment if it's not addressed to the router (why would you want to do such > a thing, especially if the rest of the path is MTU limited?). Because of > this lack of reconstruction, the router only stops the initial fragment, > and allows the rest to pass. A while back we did some testing on this with > some folks from abs.net (they supplied the victim), and it was still a > problem in the 11.1.8 revision of code for the 7500 series. I also opened a case with Cisco back in Feb about this issue, and demonstrated the problem to them. Ciscos DEs reopened up bug CSCdj00711, and eventually integrated the fix into 11.1(10.2)AA on 4/3 97, and into 10.3(18) 10.0(14.4), 11.1(10.2) and 11.2(5.1) by 4/22. > Here is a response I got from a Cisco technical type a while back: > > > By design, non-initial fragments are not filtered as the transport layer > (TCP/UDP) information is only available in the initial fragment and > ACLs can contain entries that filter based on this. Filtering the > initial fragment provides security as the receiving station will > time out after not receiving the initial fragment and flush the > rest. But, it is still prone to denial of service attacks... I find it interesting that they're claiming here its only a denial of service problem. I'll stop here... :) <snip> -Golan
|