Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 May 2001 12:39:28 +0000 (GMT)
From:      diman <diman@asd-g.com>
To:        Lowell Gilbert <lowell@world.std.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: IPFW Rule -1 Always = Attack?
Message-ID:  <Pine.BSF.4.21.0105221226100.202-100000@portal.none.ua>
In-Reply-To: <44ae4669z0.fsf@lowellg.ne.mediaone.net>

next in thread | previous in thread | raw e-mail | index | archive | help


On 21 May 2001, Lowell Gilbert wrote:

[.......]
> > > It's *possible* that the rule could be triggered by something that
> > > wasn't an attack.  Thinking about it briefly, it seems slightly more
> > > likely that it's part of a probe, rather than an actual attack
> > > However, reporting to the network administrator for that address is
> > > almost certainly useless in any case, because an attacker would
> > > probably have spoofed that address anyway.  [An attacker wouldn't ever
> > > get any response from that packet in any case.]
> > 
> > Attacker can get answer from a destination host. It's a ipfw between
> > if he willn't. Easy rule :)
> 	
> This is incorrect.  The attacker can't get an answer in either case.
> 
> The destination host won't reply unless the packet with the fragment
> offset of zero *also* got through to that destination host, in which
> case this rule doesn't matter.  If it isn't the case, the destination
> host will never get a whole packet, and will never respond.  

It might be 'icmp: reassembly time exceed' or something else - it's
OS/Setup dependant. It might need more than 1 packet, but my point
is: "rule -1"  can be used for ipfw detection/identification.
There are no much security risk unless u wanna hide ur frierwall from
peoples looks.

> 
> The "rule -1" situation is only useful (to attackers) as part of a
> traffic analysis scheme, and not terribly even for that.  However,
> there's no downside to dropping these packets, so we do.
> 
>  - Lowell

Yes, "traffic analysis"  :-)

Good Luck.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105221226100.202-100000>