filter
Click on the red underlined text to get to the source
... System administrators rely on manufacturers of networking equipment
to provide them with packet filters; these filters are used for
keeping attackers ...
... System administrators rely on manufacturers of networking equipment
to provide them with packet filters; these filters are used for
keeping attackers from accessing private systems and information,
...
... Filtering IP Fragments ...
... administrator; conceptually, an
IP filter is applied to each IP packet as a complete entity.
...
...
One approach to fragment filtering, described by Mogul [1], involves
keeping track of the results of applying filter rules ...
... filtering, described by Mogul [1], involves
keeping track of the results of applying filter rules to the first
fragment (FO ...
... FO==0) and applying them to subsequent fragments of the
same packet. The filtering module would maintain a list of packets
indexed by the source address, destination address ...
... MF bit is set,
a list item would be allocated to hold the result of filter access
checks. When packets with a non-zero FO ...
... assumptions, and undesired fragments can leak through as a result.
Furthermore, if the filtering router lies on one of several parallel
paths, the filtering ...
... filtering router lies on one of several parallel
paths, the filtering module will not see every fragment and cannot
guarantee complete fragment ...
... fragment and cannot
guarantee complete fragment filtering in the case of packets that
should be dropped.
...
... packet. Since "interesting" packet information is contained in the
headers at the beginning, filters are generally applied only to the
first fragment. Non-first fragments ...
... first fragment. Non-first fragments are passed without filtering,
because it will be impossible for the destination host to complete
...
... overhead. Attackers can sometimes exploit typical filter behavior
and the ability to create peculiar fragment ...
... create peculiar fragment sequences in order to
sneak otherwise disallowed packets past the filter. In normal
practice, such pathalogical fragmentation is never used, so it is
...
... TCP header fields
into the second fragment, filter rules that specify patterns for
those fields will not match. If the filtering implementation does
...
... fragment, filter rules that specify patterns for
those fields will not match. If the filtering implementation does
not enforce a minimum fragment size, a disallowed packet might be
...
... not enforce a minimum fragment size, a disallowed packet might be
passed because it didn't hit a match in the filter.
STD ...
... transport header required to contain "interesting" fields
(i.e., fields whose values are significant to packet filters).
This length is measured from the beginning of the transport
...
... Note that TMIN is a function of the transport protocol involved
and also of the particular filters currently configured.
The direct method ...
... fragment would
contain innocuous data (and thereby be passed by administrative
packet filters), and in which some subsequent packet having a non-
zero offset would overlap TCP header information (destination port ...
... destination port,
for instance) and cause it to be modified. The second packet would
be passed through most filter implementations because it does not
have a zero fragment offset.
...
... fragments are large enough to satisfy the minimum
size requirements described in the previous section. The filter
is configured to drop TCP connection request packets.
...
... 0-offset fragment, it will not be checked, and it, too will pass
through the filter.
The receiving ...
... By adopting a better strategy in a router's IP filtering code, one
can be assured of blocking this "attack". If the router ...
... fragments
that have non-zero offsets, it can prevent overlaps in filter
parameter regions of the transport headers ...
...
A general algorithm, then, for ensuring that filters work in the
face of both the tiny fragment attack and the overlapping fragment
attack ...
... on the position of those fields in the header. In particular, if
filtering is permitted on data beyond the sixteenth octet of the
transport header ...
... header, either because of a flexible user interface or
the implementation of filters for some new transport protocol,
dropping packets with FO ...
... This memo is concerned entirely with the security implications of
filtering fragmented IP packets.
...