How to block packets with bad crc or length?

Discussion in 'LnS English Forum' started by jgama, May 27, 2004.

Thread Status:
Not open for further replies.
  1. jgama

    jgama Registered Member

    Joined:
    May 4, 2004
    Posts:
    34
    Hi,

    I was thinking about it and maybe it would be a good idea for a plugin.

    Peace,
    Joseph
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    isn't those packets discarded directly by the OS ?

    After a quick search on google I found this from an O'Reilly book snippet on their official website :

    regards,

    gkweb.
     
  3. jgama

    jgama Registered Member

    Joined:
    May 4, 2004
    Posts:
    34
    Hi gkweb,

    I am affraid not, for example the ping of death is a ICMP packet over 64kb. I am still trying to figure out other situations. I will post more info soon.

    Peace,

    Joseph
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    if i remember right, Ping Of Death was possible by sending fragmented ICMP packet (each one was valid) but when reassembled, the size exceeded the limit.

    However, this trick was working on Win95 and may be on Win98, but i'm pretty sure that this attack is dead now and is from old history.
    A Windows OS _patched_ can't be attacked by that.

    Anyway the OS _is_ checking for bad checksums, POD was just a vulnerability.

    And from a website I've just found :

    The security and the check of the packets is handled by TCP/IP protocols and by the OS.
    IMO, to add additional checks in case of a miss is overkill, but that's just my opinion :)

    Oh and another quote from a forum :
    regards,

    gkweb.
     
  5. sentio

    sentio Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    9
    Location:
    H-Town
    So basically, what I think he's _trying_ to say is that "No, it probably isn't worth the effort." I could be wrong. :p
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    that's indeed what i'm trying to say with my bad english :)

    In fact if you want deeper packet analys, IDS can do it for you, with full checksum check and a lot more.

    regards,

    gkweb.
     
  7. jgama

    jgama Registered Member

    Joined:
    May 4, 2004
    Posts:
    34
    Hi!

    I just made a test with an ICMP packet with bad checksum and it goes through but it gets no reply. But if I added 1000 bytes with a zero value with a correct CRC, it gets a reply although the payload has extra junk. Windows only regards the first 32 bytes of data for ECHO requests because the reply had only 32. You are right, the OS does some filtering after receiving the packets, in most cases it should be enought. Anyway, spyware or RAT's could use the extra data on ECHO packets to communicate. Althought we can block packets by size and with many other details thanks to the awesome raw packet edition plugin, the CRC is not possible to verify because it is more complex. The OS will deal with it, hopefully.

    Peace,

    Joseph
     
Thread Status:
Not open for further replies.