H
Hassan I Sahba
First let me tell you about Kerio. I reported this frag problem to
them on 16/12/04. They said it's several years out of date and is not
sold or supported. I asked them if the exploit concerned them and they
told me not to contact them again. No more replies. _|_
Many people still like Tiny/Kerio 2.x and will continue to use it
despite Kerio's lack of concern for their security(dig). So:
This works on XP. Do registry backups.
Go to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
make a new DWORD Value
EnableFragmentChecking
edit it and change the value to 1
Make sure it's in
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters
and a reboot shouldn't be needed.
This should stop the XP stack processing fragmented packets, so they
should be rejected before they get to Tiny/Kerio. It should work for
2k/03 as well, I haven't checked 9.x
To check it works before making the registry change, send out some
fragmented packets using ping or hping. After the change the packets
will time out as the stack drops them.
HiS
them on 16/12/04. They said it's several years out of date and is not
sold or supported. I asked them if the exploit concerned them and they
told me not to contact them again. No more replies. _|_
Many people still like Tiny/Kerio 2.x and will continue to use it
despite Kerio's lack of concern for their security(dig). So:
This works on XP. Do registry backups.
Go to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
make a new DWORD Value
EnableFragmentChecking
edit it and change the value to 1
Make sure it's in
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters
and a reboot shouldn't be needed.
This should stop the XP stack processing fragmented packets, so they
should be rejected before they get to Tiny/Kerio. It should work for
2k/03 as well, I haven't checked 9.x
To check it works before making the registry change, send out some
fragmented packets using ping or hping. After the change the packets
will time out as the stack drops them.
HiS