[Snort-users] Re: fragroute vs. snort: the tempest in a teacup

Dug Song dugsong at ...5264...
Thu Apr 18 09:04:02 EDT 2002

On Wed, Apr 17, 2002 at 11:11:54PM +0000, Dragos Ruiu wrote:

> First, this is not a snort-only issue, as I would wager other idses
> have as many if not more evasion modes as well as sharing these with
> Snort...

absolutely correct. Snort, i'd wager, does much better than most.

most stateful inspection firewalls and "intrusion prevention" or other
application-layer content filtering devices (e.g. Cisco NBAR) have
similar vulnerabilities that may be tested with fragroute.

> Most firewalls these days (especially Linux and OpenBSD ones)
> actually do reassembly inbound.

this isn't quite true. most stateful inspection firewalls do "virtual
reassembly" for IP fragments, and a few do basic window tracking for
TCP connections, but will still allow most fragroute-style attacks
through (e.g. duplicate overwriting TCP segments with older TCP
timestamp options for PAWS elimination, short TTLs, etc.).

your best bet (for the truly paranoid) is an application-layer
firewall, but we all knew that already. :-)

TCP scrubbers, as proposed by Malan, Paxson, et al. [1] [2] and
implemented by Provos, Paxson, et al. [3] [4] are a good intermediate
solution, but haven't found widespread deployment.

> This was an interesting point discovered recently when it was
> realized that the snort defragger was actually never getting touched
> at all in some installations.

IP fragmentation is rare to begin with [5], so i wouldn't chalk this
up to firewall magic - especially when all major firewalls still pass
fragments in their default configuration, and ONLY OpenBSD pf and
Linux netfilter can actually be configured to reassemble. even fewer
track TCP windows, options, etc...


[1] http://www.eecs.umich.edu/~rmalan/publications/mwjhInfocomm2000.ps.gz
[2] http://www.icir.org/vern/papers/norm-usenix-sec-01.ps.gz
[3] http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_norm.c
[4] http://www.mirrors.wiretapped.net/security/network-intrusion-detection/norm/
[5] http://www.caida.org/outreach/papers/2001/Frag/


More information about the Snort-users mailing list