[unisog] UDP fragments anyone?
Stephen John Smoogen
smooge at unm.edu
Tue Feb 20 22:10:42 GMT 2007
John Kristoff wrote:
> Now, maybe you're a small network and you don't mind throwing away
> a few packets, potentially causing some potential collateral damage,
> because it's easier and simpler for you to try to filter on easily
> identifiable magic bit patterns than doing security the other way?
> You'd have plenty of company if so. Security folks love using the
> packet filter hammer to do their job. :-)
I like my hammer, pickaxes, and industrial shredder
> Generally speaking, you don't want to be seeing a lot of fragments even
> if they're legit, because that is not very effecient for anyone, but
> some nets, apps and configs aren't perfect, so they can happen. You
> could monitor them. Generally they should take up a very small percentage
> of your link. If you see a spike, investigate.
> There are certain IP protocol types (e.g. ICMP) that you should almost
> never see be fragmented and it might be "less harmful" to filter those,
> but even they might occur from time to time for research/measurement
My favorite fragmented ICMP packets were uhm for research when asked. As
was the SSH over ICMP that the payload was carrying.
> Note, this has come up at least once before:
> Your network, your choice, consequences you have to live with. I
> personally would recommend against it for what that's worth.
Yeah it does have its drawbacks. It may be better to limit
dropping/monitoring it to certain areas in your organization depending
on how open/closed that area needs to be.
Stephen Smoogen -- ITS/Linux Administrator
MSC02 1520 1 University of New Mexico Albuquerque, NM 87131-0001
Phone: (505) 277-7343 Email: smooge at unm.edu
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the unisog