lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: 31 Mar 2004 15:07:31 -0500
From: stanislav shalunov <shalunov@...ernet2.edu>
To: bugtraq@...urityfocus.com
Subject: Re: IPv4 fragmentation  --> The Rose Attack


<gandalf@...ital.net> writes:

> While this discussion pertains to IPv4, IPv6 also allows fragmentation and I
> suspect IPv6 will also be affected by this attack.

IPv6 does not have en-route fragmentation and, therefore, has no
reassembly.  IPv6 is not affected.

Interesting attack.  Various standards require behaviors that lead to
unlimited memory usage.  For example, my netkill attack shows how to
cause a TCP stack to use all memory that is available to it.  The Rose
attack doesn't even use TCP to achieve a similar effect.

A mitigating strategy would be to give the IPv4 reassembly code a
certain amount of memory and, when that memory is filled, drop random
packets that are being reassembled.  The data structures used to hold
fragments must allow to only hold those parts that have already
arrived.  This would still allow attacks on the reassembly facility
itself (an attacker could keep the reassembly memory full and cause
the majority of legitimate fragmented packets to be dropped by the
receiver), but at least other parts of the stack and the OS would not
suffer.

-- 
Stanislav Shalunov		http://www.internet2.edu/~shalunov/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ