On 4/9/14, Fabien Bourdaire <li...@ecsc.co.uk> wrote: > We've created some iptables rules to block all heartbeat queries using > the very powerful u32 module. > > # Block rules > iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ > "52=0x18030000:0x1803FFFF" -j DROP
It appears to me that this rule assumes that TLS records align with TCP packet boundaries. Attackers can circumvent it by manipulating said boundaries. This is, in general, an inherent limitation of trying to use U32 to filter TCP-based application protocols. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
