[unisog] UDP fragments anyone?

Stephen John Smoogen smooge at unm.edu
Tue Feb 20 22:10:42 GMT 2007


 John Kristoff wrote:

> Now, maybe you're a small network and you don't mind throwing away
> a few packets, potentially causing some potential collateral damage,
> because it's easier and simpler for you to try to filter on easily
> identifiable magic bit patterns than doing security the other way?
> You'd have plenty of company if so.  Security folks love using the
> packet filter hammer to do their job.  :-)
> 


I like my hammer, pickaxes, and industrial shredder
(http://www.ssiworld.com/products/products4-en.htm) :)



> Generally speaking, you don't want to be seeing a lot of fragments even
> if they're legit, because that is not very effecient for anyone, but
> some nets, apps and configs aren't perfect, so they can happen.  You
> could monitor them.  Generally they should take up a very small percentage
> of your link.  If you see a spike, investigate.
> 
> There are certain IP protocol types (e.g. ICMP) that you should almost
> never see be fragmented and it might be "less harmful" to filter those,
> but even they might occur from time to time for research/measurement
> projects.
> 

My favorite fragmented ICMP packets were uhm for research when asked. As
was the SSH over ICMP that the payload was carrying.


> Note, this has come up at least once before:
> 
>   <http://lists.sans.org/pipermail/unisog/2003-March/018666.html>
> 
> Your network, your choice, consequences you have to live with.  I
> personally would recommend against it for what that's worth.
> 

Yeah it does have its drawbacks. It may be better to limit
dropping/monitoring it to certain areas in your organization depending
on how open/closed that area needs to be.


-- 
Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-7343  Email: smooge at unm.edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"


More information about the unisog mailing list