Fragmented packets may also be engineered (possibly as a way of
slipping an attack past security devices that don't do packet
reassembly; possibly as a DoS against the CPU and memory needed
to do reassembly).
If it happens "too often", it may actually *be* the firewall's
reaction to some malicious activity.
David Gillett
CISSP CCSE CCNP
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf
> Of Reinoud Koornstra
> Sent: Friday, May 12, 2006 4:11 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] message: Virtual defragmentation error: Timeout
>
>
>
> Checkpoint by default tries to reassembles fragments to a
> packet in order to prevent missing malicious activity,
> because it isn't possible to detect many kinds of attacks
> when only inspecting the fragments. The message you get is
> because checkpoint didn't receive all the fragments necessary
> to do a full reassembly of the packet. It waits a certain
> time for all necessary fragments to arrive and if a fragment
> doesn't make it in time, this error is displayed. It happens
> occasionally, nothing to worry about. If it happens too often
> on a specific patch, then however, you wish to look at the
> pure connectivity between end-points and what's going on.
> Fragmentation happens when a packet with a too large mtu
> tries to enter an interface with a lower mtu, if the DF bit
> isn't set the router/hop in between will defragment the
> packet. Soo, either you try to force RFC 1191, Path MTU
> discovery or you try to see what the lowest MTU on that path
> is yourself and adjust the MTU, however, i do not recommand
> the latter.
> Regards,
>
> Reinoud.
>
> -----Mailing list for discussion of Firewall-1
> <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM> wrote: -----
>
>
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> From: Matt Rose <bsod1 AT YAHOO DOT COM>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an
> email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription
> options, email fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
