tcp match silently drops packets
blancher at cartel-securite.fr
Mon Oct 17 16:01:26 CEST 2005
Le lundi 17 octobre 2005 à 15:52 +0200, Henrik Nordstrom a écrit :
> An IP fragment with offset 1 can overwrite parts of the TCP header, and if
> this check is not there an attacker could bypass port matches in iptables
> by sending the packet in two fragments where the first fragment (which is
> used by the tcp match) has ports which is allowed by the ruleset and later
> the second fragment (which is ignored by the tcp match) overwrites the
> port numbers with ports which would not be allowed by the ruleset.
I always though conntrack was defragmenting datagrams before filtering.
Thus, if we filter on defragmented datagrams, then we can't get foold by
fragmentation overlapping based attacks. Am I wrong ?
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
More information about the netfilter-devel