From owner-freebsd-security Sat Nov 15 01:28:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id BAA09701 for security-outgoing; Sat, 15 Nov 1997 01:28:40 -0800 (PST) (envelope-from owner-freebsd-security) Received: from lab321.ru (anonymous1.omsk.net.ru [194.226.32.34]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id BAA09686; Sat, 15 Nov 1997 01:28:10 -0800 (PST) (envelope-from Eugeny.Kuzakov@lab321.ru) Received: from lab321.ru (kev.l321.omsk.net.ru [194.226.33.68]) by lab321.ru (8.8.5-MVC-230497/8.8.5) with ESMTP id PAA25162; Sat, 15 Nov 1997 15:21:55 +0600 (OSK) Message-ID: <346DBE80.F45FD68D@lab321.ru> Date: Sat, 15 Nov 1997 15:23:44 +0000 From: Eugeny Kuzakov Organization: Powered by FreeBSD. X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 3.0-971022-SNAP i386) MIME-Version: 1.0 To: Mike Tancsa CC: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: IPFW and ipfragment overlap attack... References: <3.0.2.32.19971114232337.02496330@sentex.net> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Mike Tancsa wrote: > > Does anyone know of a way to prevent via ipfw the use of the ip fragment > attack that was posted on bugtraq the other day ? Since this can take out > NT/95 machines at will, it would be nice if I could protect my dialup users > from outside attack. Also, it seems that FreeBSD is safe against this > program is it not ? I am not a network programmer, but looking through > /usr/src/sys/netinet/ip_input.c there are some safegaurds against this. > Are there any modifications to the program that could effect FreeBSD ? ipfw add XXX deny log all from any to any frag It will be work. If MTU on interfaces on gateway not below 1500. -- Best wishes, Eugeny Kuzakov Laboratory 321 ( Omsk, Russia ) kev@lab321.ru