Re: Fragmentation Attack - David S. Miller

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "David S. Miller" <davem@redhat.com>
To: Gandalf The White <gandalf@digital.net>
Cc: netdev@oss.sgi.com
Subject: Re: Fragmentation Attack
Date: Sun, 8 Feb 2004 13:18:26 -0800	[thread overview]
Message-ID: <20040208131826.104eaef4.davem@redhat.com> (raw)
In-Reply-To: <BC4C0264.E3F3%gandalf@digital.net>

On Sun, 08 Feb 2004 15:12:36 -0600
Gandalf The White <gandalf@digital.net> wrote:

> The attack has ICMP, UDP and TCP.  If you were seeing a specific signature
> over and over again then I agree that it might be easy to block (depending
> on the firewall) ... But ... If someone were sending fragments destined for
> port 80 to your web server I don't see how you could differentiate between
> "real" fragments going to the web server and faked fragmentation requests.

In this day and age, and with all the headaches fragmentation causes
(either directly or indirectly via these resource consumption DoS's)
we may soon be reaching the point where only talking to sites doing
path-MTU discovery (yes, even for UDP) is a valid decision for a big
site.

This would solve the problem in a hurry.

For TCP I think people can do this today.  For UDP, what do you need fragmented
UDP for, DNS queries?  I think not for those types of usage, and even streaming
voice or whatever UDP uses chop up the datastream themselves spitting out a
non-fragmented time transmitted line of packets looking sort of ATM'ish.

Fragmented ICMP should just be blocked at firewall for people concerned about
this, I see no valid use of this.

next prev parent reply	other threads:[~2004-02-08 21:18 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-02-07 17:36 Fragmentation Attack Gandalf The White
2004-02-07 17:45 ` David S. Miller
2004-02-07 18:00   ` Gandalf The White
2004-02-08 20:45     ` David S. Miller
2004-02-08 21:12       ` Gandalf The White
2004-02-08 21:18         ` David S. Miller [this message]
2004-02-12  2:20           ` Gandalf The White

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040208131826.104eaef4.davem@redhat.com \
    --to=davem@redhat.com \
    --cc=gandalf@digital.net \
    --cc=netdev@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).