RE: fragment filtering [bcc][faked-from]

From: marvin greenlee (marvin@ccbootcamp.com)
Date: Tue May 10 2005 - 19:09:06 GMT-3

"...Filtering fragments adds an additional layer of protection against a DoS
attack that uses only noninitial fragments (such as FO > 0). Using a deny
statement for noninitial fragments at the beginning of the ACL denies all
noninitial fragments from accessing the router. Under rare circumstances, a
valid session might require fragmentation and therefore be filtered if a
deny fragment statement exists in the ACL..."

See also:

Cisco - Protecting Your Core: Infrastructure Protection Access Control Lists
-
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00
801a1a55.shtml

Cisco - Access Control Lists and IP Fragments -
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00
800949b8.shtml

Marvin Greenlee, CCIE#12237, CCSI# 30483
Network Learning Inc
marvin@ccbootcamp.com
www.ccbootcamp.com (Cisco Training)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Tuesday, May 10, 2005 2:52 PM
To: Bob Sinclair; Group Study
Subject: RE: fragment filtering [bcc][faked-from]
Importance: Low

Hey Bob,
 
Thanks for getting back to me. I happen to have the Richard Deal book but
I'm not 100% sure of what he's saying and how to apply the info he provides.
 
For example, he talks mostly about NON-INITIAL fragments.
 
" When filtering fragments, noninitial fragments that match Layer 3
information in your ACL have the appropriate action taken against them:
permit or deny."
Is this the same as saying, "If the fragment keyword is used, noninitial
fragments that match Layer 3 information in your ACL have the appropriate
action taken against them: permit or deny."
 
 
Or, put another way, is the difference between these 2 acl entries as noted?
 
access-list 101 deny ip any any fragments <- all ip traffic including
initial and non-initial fragments are dropped
 
access-list 101 deny ip any any <- Only initial
fragments and unfragmented ip traffic is dropped; non-initial fragments pass
thru
 
As a practical matter for the lab, it seems to me, I have to sort acl
entries into 2 groups:
 
Group 1 - has no port information
 
Group 2 - has port info ie the acl includes either tcp or udp
 
 
For Group 1, the behavior is as described above.
 
For Group 2, I'm still not that clear.
 
Last thing: Is there any simple way to verify the configuration will work as
intended?
 
I hate it when I take the lab and find I'm not sure about some little detail
and don't know how to verify if I did the config correctly.
 
 
Can you help clear up this confusion for me? I would be tremendously
appreciative.
 
TIA, Tim
  _____

From: Bob Sinclair [mailto:bsinclair@netmasterclass.net]
Sent: Tuesday, May 10, 2005 4:33 PM
To: ccie2be; Group Study
Subject: Re: fragment filtering
 
Tim,
 
Richard Deal covers this topic well in his book Cisco Router Firewall
Security. Non-initial fragments will not have the UDP port information. So
if you want to deny all UDP DNS fragments, denying UDP fragments is as
specific as you can get. According to Deal, non-initial fragments are
denied by the implicit deny-any at the end of the access-list in recent IOS.
Initial fragments and unfragmented packets can be explicitly denied by UDP
port.
 
HTH,
 
Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net
----- Original Message -----
From: ccie2be <mailto:ccie2be@nyc.rr.com>
To: Group Study <mailto:ccielab@groupstudy.com>
Sent: Tuesday, May 10, 2005 4:02 PM
Subject: fragment filtering
 
Hi guys,

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3