Firewall stateful handling of ICMP packets

• Previous message (by thread): Firewall stateful handling of ICMP packets
• Next message (by thread): Firewall stateful handling of ICMP packets
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--On Wednesday, December 3, 2003 10:53 PM -0500 Valdis.Kletnieks at vt.edu 
wrote:

> On Wed, 03 Dec 2003 15:57:37 PST, Owen DeLong <owen at delong.com>  said:
>
>> around.  (In fact, I'm hard pressed to imagine how a Frag needed packet
>> for an invalid session could do much of anything).
>
> You can use a forged 'frag needed' to stomp an existing connection of the
> victim's down to 64 byte MTU or similar silliness, but other than sheer
> "it's a packet" DDoS effects, I can't think of a malicious use for one for
> an invalid session either....

Agreed.  However, the former pretty much requires knowledge, a lot of 
packets,
or a really lucky set of guesses.

Owen


-- 
If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20031203/80dc53a3/attachment.sig>

• Previous message (by thread): Firewall stateful handling of ICMP packets
• Next message (by thread): Firewall stateful handling of ICMP packets
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]