[unisog] UDP fragments anyone?

John Kristoff jtk at depaul.edu
Tue Feb 20 16:56:26 GMT 2007


On Mon, 19 Feb 2007 16:32:32 -0500
Vijay S Sarvepalli VSSARVEP <VSSARVEP at uncg.edu> wrote:

> Anybody care to share their concerns on UDP fragments across their 
> perimeter?  It seems like there is no 
> valid traffic that needs it.  eMule ?  I am not sure if there are only P2P 
> use it. 

There is valid traffic.  I've seen it for streaming video and in VPN
type situations.  Keep in mind that fragmented packets do not necessarily
mean large packets per se.  It may simply be that the sender is stuck
behind something with a smaller MTU than might be typical (this is the
common case for VPN type situations).

Now, maybe you're a small network and you don't mind throwing away
a few packets, potentially causing some potential collateral damage,
because it's easier and simpler for you to try to filter on easily
identifiable magic bit patterns than doing security the other way?
You'd have plenty of company if so.  Security folks love using the
packet filter hammer to do their job.  :-)

Generally speaking, you don't want to be seeing a lot of fragments even
if they're legit, because that is not very effecient for anyone, but
some nets, apps and configs aren't perfect, so they can happen.  You
could monitor them.  Generally they should take up a very small percentage
of your link.  If you see a spike, investigate.

There are certain IP protocol types (e.g. ICMP) that you should almost
never see be fragmented and it might be "less harmful" to filter those,
but even they might occur from time to time for research/measurement
projects.

Note, this has come up at least once before:

  <http://lists.sans.org/pipermail/unisog/2003-March/018666.html>

Your network, your choice, consequences you have to live with.  I
personally would recommend against it for what that's worth.

John


More information about the unisog mailing list