[unisog] UDP fragments anyone?

Russell Fulton r.fulton at auckland.ac.nz
Tue Feb 20 19:17:15 GMT 2007



Stephen John Smoogen wrote:
> Vijay S Sarvepalli VSSARVEP wrote:
>   
>> Anybody care to share their concerns on UDP fragments across their
>> perimeter?  It seems like there is no
>> valid traffic that needs it.  eMule ?  I am not sure if there are only
>> P2P use it.  
>>
>>     
>
> My normal mode of activity is to drop UDP and ICMP fragments at any
> border where I am going to use detection tools to examine traffic.
> Fragmented UDP and ICMP are normally used to evade various tools and in
> legitimate traffic a sign of something broken.
>
>   
any tools worth their salt will reassemble packets *before* examining
the contents and will flag overlapping fragments.  I don't see this as a
valid argument for dropping UDP fragments.  Our fireall (OpenBSD's pf)
actually does the reassembly at the border which is another way of
dealing with the issue.

Russell.


More information about the unisog mailing list