Fwd: [IPv4 fragmentation --> The Rose Attack]
Barney Wolff
barney at databus.com
Sun Apr 4 12:59:56 PDT 2004
On Sun, Apr 04, 2004 at 08:38:31PM +0100, Richard Wendland wrote:
>
> It would be possible to improve matters somewhat by having per-protocol
> limits. So for TCP, which with MSS and DF rarely fragments, there could
> be low limits. But for UDP (eg for NFS) which frequently fragments,
> there could be generous limits.
>
> So systems that only permit TCP and ICMP from non-trusted hosts could
> in an indirect way limit external attack, without eg hampering local UDP.
I'd prefer either per-interface limits or a trusted/non-trusted per-interface
bit, if anything at all. Per-protocol limits would simply cause the
attackers to attack the other protocol. In truth, running NFS over UDP
with 65k packets over the Internet is suicidal anyway.
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
More information about the freebsd-net
mailing list