Date: Tue, 22 May 2001 12:39:28 +0000 (GMT) From: diman <diman@asd-g.com> To: Lowell Gilbert <lowell@world.std.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW Rule -1 Always = Attack? Message-ID: <Pine.BSF.4.21.0105221226100.202-100000@portal.none.ua> In-Reply-To: <44ae4669z0.fsf@lowellg.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 21 May 2001, Lowell Gilbert wrote: [.......] > > > It's *possible* that the rule could be triggered by something that > > > wasn't an attack. Thinking about it briefly, it seems slightly more > > > likely that it's part of a probe, rather than an actual attack > > > However, reporting to the network administrator for that address is > > > almost certainly useless in any case, because an attacker would > > > probably have spoofed that address anyway. [An attacker wouldn't ever > > > get any response from that packet in any case.] > > > > Attacker can get answer from a destination host. It's a ipfw between > > if he willn't. Easy rule :) > > This is incorrect. The attacker can't get an answer in either case. > > The destination host won't reply unless the packet with the fragment > offset of zero *also* got through to that destination host, in which > case this rule doesn't matter. If it isn't the case, the destination > host will never get a whole packet, and will never respond. It might be 'icmp: reassembly time exceed' or something else - it's OS/Setup dependant. It might need more than 1 packet, but my point is: "rule -1" can be used for ipfw detection/identification. There are no much security risk unless u wanna hide ur frierwall from peoples looks. > > The "rule -1" situation is only useful (to attackers) as part of a > traffic analysis scheme, and not terribly even for that. However, > there's no downside to dropping these packets, so we do. > > - Lowell Yes, "traffic analysis" :-) Good Luck. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105221226100.202-100000>