From owner-freebsd-security Tue May 22 4:44:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from sivka.carrier.kiev.ua (sivka.carrier.kiev.ua [193.193.193.101]) by hub.freebsd.org (Postfix) with ESMTP id 57AC937B43E for ; Tue, 22 May 2001 04:44:45 -0700 (PDT) (envelope-from diman@asd-g.com) Received: from core.is.kiev.ua (p187.is.kiev.ua [62.244.5.187] (may be forged)) by sivka.carrier.kiev.ua (8/Kilkenny_is_better) with ESMTP id ORE63274; Tue, 22 May 2001 14:44:37 +0300 (EEST) (envelope-from diman@asd-g.com) Received: from [10.203.1.10] ([10.203.1.10]) by core.is.kiev.ua (8.11.1/ASDG-2.3-NR) with ESMTP id f4MBiYM73206; Tue, 22 May 2001 14:44:34 +0300 (EEST) (envelope-from diman@asd-g.com) Date: Tue, 22 May 2001 12:39:28 +0000 (GMT) From: diman X-Sender: diman@portal.none.ua To: Lowell Gilbert Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW Rule -1 Always = Attack? In-Reply-To: <44ae4669z0.fsf@lowellg.ne.mediaone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 21 May 2001, Lowell Gilbert wrote: [.......] > > > It's *possible* that the rule could be triggered by something that > > > wasn't an attack. Thinking about it briefly, it seems slightly more > > > likely that it's part of a probe, rather than an actual attack > > > However, reporting to the network administrator for that address is > > > almost certainly useless in any case, because an attacker would > > > probably have spoofed that address anyway. [An attacker wouldn't ever > > > get any response from that packet in any case.] > > > > Attacker can get answer from a destination host. It's a ipfw between > > if he willn't. Easy rule :) > > This is incorrect. The attacker can't get an answer in either case. > > The destination host won't reply unless the packet with the fragment > offset of zero *also* got through to that destination host, in which > case this rule doesn't matter. If it isn't the case, the destination > host will never get a whole packet, and will never respond. It might be 'icmp: reassembly time exceed' or something else - it's OS/Setup dependant. It might need more than 1 packet, but my point is: "rule -1" can be used for ipfw detection/identification. There are no much security risk unless u wanna hide ur frierwall from peoples looks. > > The "rule -1" situation is only useful (to attackers) as part of a > traffic analysis scheme, and not terribly even for that. However, > there's no downside to dropping these packets, so we do. > > - Lowell Yes, "traffic analysis" :-) Good Luck. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message