[Snort-users] Re: fragroute vs. snort: the tempest in a teacup

Francis Cianfrocca francis at ...5645...
Thu Apr 18 16:43:04 EDT 2002

Sorry for changing the subject, but what is the general state of the art 
on application-level firewalls? Are any of them ready for prime time?

Dug Song wrote:

>On Wed, Apr 17, 2002 at 11:11:54PM +0000, Dragos Ruiu wrote:
>>First, this is not a snort-only issue, as I would wager other idses
>>have as many if not more evasion modes as well as sharing these with
>absolutely correct. Snort, i'd wager, does much better than most.
>most stateful inspection firewalls and "intrusion prevention" or other
>application-layer content filtering devices (e.g. Cisco NBAR) have
>similar vulnerabilities that may be tested with fragroute.
>>Most firewalls these days (especially Linux and OpenBSD ones)
>>actually do reassembly inbound.
>this isn't quite true. most stateful inspection firewalls do "virtual
>reassembly" for IP fragments, and a few do basic window tracking for
>TCP connections, but will still allow most fragroute-style attacks
>through (e.g. duplicate overwriting TCP segments with older TCP
>timestamp options for PAWS elimination, short TTLs, etc.).
>your best bet (for the truly paranoid) is an application-layer
>firewall, but we all knew that already. :-)
>TCP scrubbers, as proposed by Malan, Paxson, et al. [1] [2] and
>implemented by Provos, Paxson, et al. [3] [4] are a good intermediate
>solution, but haven't found widespread deployment.
>>This was an interesting point discovered recently when it was
>>realized that the snort defragger was actually never getting touched
>>at all in some installations.
>IP fragmentation is rare to begin with [5], so i wouldn't chalk this
>up to firewall magic - especially when all major firewalls still pass
>fragments in their default configuration, and ONLY OpenBSD pf and
>Linux netfilter can actually be configured to reassemble. even fewer
>track TCP windows, options, etc...
>[1] http://www.eecs.umich.edu/~rmalan/publications/mwjhInfocomm2000.ps.gz
>[2] http://www.icir.org/vern/papers/norm-usenix-sec-01.ps.gz
>[3] http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_norm.c
>[4] http://www.mirrors.wiretapped.net/security/network-intrusion-detection/norm/
>[5] http://www.caida.org/outreach/papers/2001/Frag/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020418/66e7ad0d/attachment.html>

More information about the Snort-users mailing list