Date: Sat, 15 Nov 1997 15:23:44 +0000 From: Eugeny Kuzakov <Eugeny.Kuzakov@lab321.ru> To: Mike Tancsa <mike@sentex.net> Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: IPFW and ipfragment overlap attack... Message-ID: <346DBE80.F45FD68D@lab321.ru> References: <3.0.2.32.19971114232337.02496330@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote: > > Does anyone know of a way to prevent via ipfw the use of the ip fragment > attack that was posted on bugtraq the other day ? Since this can take out > NT/95 machines at will, it would be nice if I could protect my dialup users > from outside attack. Also, it seems that FreeBSD is safe against this > program is it not ? I am not a network programmer, but looking through > /usr/src/sys/netinet/ip_input.c there are some safegaurds against this. > Are there any modifications to the program that could effect FreeBSD ? ipfw add XXX deny log all from any to any frag It will be work. If MTU on interfaces on gateway not below 1500. -- Best wishes, Eugeny Kuzakov Laboratory 321 ( Omsk, Russia ) kev@lab321.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?346DBE80.F45FD68D>