Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Getting PING bombed...

  • From: Golan Ben-Oni
  • Date: Mon Oct 20 12:17:54 1997

On Mon, 20 Oct 1997, Chris A. Icide wrote:

> Date: Mon, 20 Oct 1997 07:36:47 -0500
> From: "Chris A. Icide" <chris@nap.net>
> To: jamie@intuition.iagnet.net, Doug Davis <dougd@airmail.net>
> Cc: nanog@merit.edu, security@uu.net, help@uu.net, noc@airmail.net
> Subject: Re: Getting PING bombed...
> 
> If I remember right, and I think I do, Cisco filtes will not reconstruct a
> fragment if it's not addressed to the router (why would you want to do such
> a thing, especially if the rest of the path is MTU limited?).  Because of
> this lack of reconstruction, the router only stops the initial fragment,
> and allows the rest to pass.  A while back we did some testing on this with
> some folks from abs.net (they supplied the victim), and it was still a
> problem in the 11.1.8 revision of code for the 7500 series.  

I also opened a case with Cisco back in Feb about this issue, and
demonstrated the problem to them.  Ciscos DEs reopened up bug CSCdj00711,
and eventually integrated the fix into 11.1(10.2)AA on 4/3 97, and into
10.3(18) 10.0(14.4), 11.1(10.2) and 11.2(5.1) by 4/22.

> Here is a response I got from a Cisco technical type a while back:
> 
> 
> By design, non-initial fragments are not filtered as the transport layer
> (TCP/UDP) information is only available in the initial fragment and
> ACLs can contain entries that filter based on this. Filtering the
> initial fragment provides security as the receiving station will 
> time out after not receiving the initial fragment and flush the 
> rest. But, it is still prone to denial of service attacks...

I find it interesting that they're claiming here its only a denial of
service problem.  I'll stop here... :)

<snip>

-Golan





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.