'Re: router packet filtering, unix based routers and buffers overflow'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: router packet filtering, unix based routers and buffers  overflow
From:       Ulisses Alonso <ulisses () pusa ! eleinf ! uv ! es>
Date:       1998-05-29 18:14:40
[Download RAW message or body]

[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]
-
Hello Ryan!

First of all thanks for your great comments!

On Fri, 29 May 1998, Ryan Russell wrote:

> Routing behaviour typically means forwarding packets based on
> the current packet only, and not modifying them save for decrementing
> the TTL.
> 
> Most router filtering (Cisco access lists, etc..) still only get to work on
> a single packet at a time.  There are exceptions, like being able to
> load a Firewall-1 filtering module on a Bay router.
> 
> A unix box acting as a router will typically behave like a plain router
> unless you configure it to do otherwise.


For instance the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel?

I heard that If you enable it, all packets are defragmented so bogus
packets like nestea, teardrop, Ping Of Death,... are dropped -> not
routed. Even if are not defragmented.

If this is true, do routers (a Cisco 25xx) can do that?

> So, to answer your question... some of the DoS attacks are identifyable
> by a single packet in the stream, and therefore router filters could
> theoretically drop them.  In practice, I don't know of any router
> filtering mechanisms (again, save something like FW-1 on a Bay)
> that are flexible enough to catch something like that.
> 
> A typical unix box that has all the OS patches applied so itself
> is not vulnerable, will still happily route the same attacks to
> other hosts if it's in router mode.
> 
> What you really need is something that can do very intelligent
> filtering, able to keep state between packets.  That type of
> product usually falls into the category of firewall.

Like what?

TIS fw toolkit?
SOCKS?
Other Un*x software solution?
Linux firewalling capabilities?
Some other Un*x OS capability?
or... some module for Routers?

As you can see I'm not an expert, so practical examples of products will
be very usefull.

Any comment, suggestion, URL, book, etc.....................
would be greatly appreciated,

regards,

		Ulisses
-----------------------------------------------------------------------------
"Computers are useless. They can only give answers."            Pablo Picasso

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic