Getting PING bombed...

Mon Oct 20 15:49:35 UTC 1997

On Mon, 20 Oct 1997, Chris A. Icide wrote:

> Date: Mon, 20 Oct 1997 07:36:47 -0500
> From: "Chris A. Icide" <chris at nap.net>
> To: jamie at intuition.iagnet.net, Doug Davis <dougd at airmail.net>
> Cc: nanog at merit.edu, security at uu.net, help at uu.net, noc at airmail.net
> Subject: Re: Getting PING bombed...
> 
> If I remember right, and I think I do, Cisco filtes will not reconstruct a
> fragment if it's not addressed to the router (why would you want to do such
> a thing, especially if the rest of the path is MTU limited?).  Because of
> this lack of reconstruction, the router only stops the initial fragment,
> and allows the rest to pass.  A while back we did some testing on this with
> some folks from abs.net (they supplied the victim), and it was still a
> problem in the 11.1.8 revision of code for the 7500 series.  

I also opened a case with Cisco back in Feb about this issue, and
demonstrated the problem to them.  Ciscos DEs reopened up bug CSCdj00711,
and eventually integrated the fix into 11.1(10.2)AA on 4/3 97, and into
10.3(18) 10.0(14.4), 11.1(10.2) and 11.2(5.1) by 4/22.

> Here is a response I got from a Cisco technical type a while back:
> 
> 
> By design, non-initial fragments are not filtered as the transport layer
> (TCP/UDP) information is only available in the initial fragment and
> ACLs can contain entries that filter based on this. Filtering the
> initial fragment provides security as the receiving station will 
> time out after not receiving the initial fragment and flush the 
> rest. But, it is still prone to denial of service attacks...

I find it interesting that they're claiming here its only a denial of
service problem.  I'll stop here... :)

<snip>

-Golan