North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Getting PING bombed...
- From: Golan Ben-Oni
- Date: Mon Oct 20 12:17:54 1997
On Mon, 20 Oct 1997, Chris A. Icide wrote:
> Date: Mon, 20 Oct 1997 07:36:47 -0500
> From: "Chris A. Icide" <firstname.lastname@example.org>
> To: email@example.com, Doug Davis <firstname.lastname@example.org>
> Cc: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
> Subject: Re: Getting PING bombed...
> If I remember right, and I think I do, Cisco filtes will not reconstruct a
> fragment if it's not addressed to the router (why would you want to do such
> a thing, especially if the rest of the path is MTU limited?). Because of
> this lack of reconstruction, the router only stops the initial fragment,
> and allows the rest to pass. A while back we did some testing on this with
> some folks from abs.net (they supplied the victim), and it was still a
> problem in the 11.1.8 revision of code for the 7500 series.
I also opened a case with Cisco back in Feb about this issue, and
demonstrated the problem to them. Ciscos DEs reopened up bug CSCdj00711,
and eventually integrated the fix into 11.1(10.2)AA on 4/3 97, and into
10.3(18) 10.0(14.4), 11.1(10.2) and 11.2(5.1) by 4/22.
> Here is a response I got from a Cisco technical type a while back:
> By design, non-initial fragments are not filtered as the transport layer
> (TCP/UDP) information is only available in the initial fragment and
> ACLs can contain entries that filter based on this. Filtering the
> initial fragment provides security as the receiving station will
> time out after not receiving the initial fragment and flush the
> rest. But, it is still prone to denial of service attacks...
I find it interesting that they're claiming here its only a denial of
service problem. I'll stop here... :)