From owner-freebsd-security  Mon May 21  7:41:14 2001
Delivered-To: freebsd-security@freebsd.org
Received: from be-well.ilk.org (lowellg.ne.mediaone.net [24.147.184.128])
	by hub.freebsd.org (Postfix) with ESMTP id DD6AD37B422
	for <freebsd-security@freebsd.org>; Mon, 21 May 2001 07:41:09 -0700 (PDT)
	(envelope-from lowell@be-well.ilk.org)
Received: (from lowell@localhost)
	by be-well.ilk.org (8.11.3/8.11.3) id f4LEf8Z04609;
	Mon, 21 May 2001 10:41:08 -0400 (EDT)
	(envelope-from lowell)
To: freebsd-security@freebsd.org
Subject: Re: IPFW Rule -1 Always = Attack?
References: <44y9rtf9ox.fsf@lowellg.ne.mediaone.net> <Pine.BSF.4.21.0105211239160.199-100000@portal.none.ua>
From: Lowell Gilbert <lowell@world.std.com>
Date: 21 May 2001 10:41:07 -0400
In-Reply-To: diman@asd-g.com's message of "21 May 2001 13:45:44 +0200"
Message-ID: <44ae4669z0.fsf@lowellg.ne.mediaone.net>
Lines: 39
X-Mailer: Gnus v5.7/Emacs 20.7
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

diman@asd-g.com (diman) writes:

> On 19 May 2001, Lowell Gilbert wrote:
> 
> > dwplists@loop.com (D. W. Piper) writes:
> > 
> > > If I understand things correctly from the archives and the IPFW man
> > > page, IPFW rule -1 is built into the firewall, and only applies to
> > > rejecting IP fragments with a fragment offset of one.  The man page
> > > further states, "This is a valid packet, but it only has one use, to try
> > > to circumvent firewalls."
> > > 
> > > Does that mean that every packet dropped by rule -1 indicates a
> > > deliberate attempt to circumvent the firewall, and should be reported to
> > > the appropriate network administrator for the source IP address?
> > 
> > It's *possible* that the rule could be triggered by something that
> > wasn't an attack.  Thinking about it briefly, it seems slightly more
> > likely that it's part of a probe, rather than an actual attack
> > However, reporting to the network administrator for that address is
> > almost certainly useless in any case, because an attacker would
> > probably have spoofed that address anyway.  [An attacker wouldn't ever
> > get any response from that packet in any case.]
> 
> Attacker can get answer from a destination host. It's a ipfw between
> if he willn't. Easy rule :)
	
This is incorrect.  The attacker can't get an answer in either case.

The destination host won't reply unless the packet with the fragment
offset of zero *also* got through to that destination host, in which
case this rule doesn't matter.  If it isn't the case, the destination
host will never get a whole packet, and will never respond.  

The "rule -1" situation is only useful (to attackers) as part of a
traffic analysis scheme, and not terribly even for that.  However,
there's no downside to dropping these packets, so we do.

 - Lowell

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message