Date: Fri, 25 Aug 1995 02:37:12 -0700 From: Poul-Henning Kamp <phk@critter.tfs.com> To: guido@gvr.win.tue.nl (Guido van Rooij) Cc: fenner@parc.xerox.com (Bill Fenner), phk@freefall.freebsd.org, freebsd-hackers@freebsd.org Subject: Re: IPFW and SCREEND Message-ID: <679.809343432@critter.tfs.com> In-Reply-To: Your message of "Fri, 25 Aug 1995 08:22:50 %2B0200." <199508250622.IAA08602@gvr.win.tue.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
> Bill Fenner wrote: > > > > Actually, the minimum MTU in IPv6 is 576; the minimum MTU in IPv4 is 68. > > 68 bytes is enough to get past the transport layer ports, so you should > > be able to prevent this kind of attack by dropping fragments with an > > offset of less than 68. This will still allow overwriting TCP options, > > but it's not likely that a firewall is going to be filtering on them... > > Not true. an ip header kan be 60 bytes maximum (20 byte header, 40 byte > options). you should at least make sure that you can 'look' to the > ACK it of the TCP header. That means at least 14 bytes.. I'm pretty sure that you wont get bit by denying any fragments starting < 256 bytes. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Just that: dried leaves in boiling water ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?679.809343432>