lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [month] [year] [list] 
From: keul_vrce at yahoo.com (amol wanjari)
Subject: Denial of Service Attack in Linux !!!


hi folks , 

Can DoS attacks be taken care of thru cryptographic techniques?  If
they can be (in some cases? or in all cases?), give one example of
your answer. If they cannot be (in some cases? or in all cases?),
attempt a characterization of when/why cryptographic techniques are
not useful.

Linux 2.1.89 to 2.2.3 had a DoS attack based on the foll code in
/usr/src/linux/net/ipv4/ip_fragment.c: (The * lines are essential to
the attack & the ? lines can be ignored if you desire.)


   ...

   // Copy data portions of all fragments (list *qp) into the new buffer (*ptr)

   *  fp = qp->fragments;// start of fragments
   *  count = qp->ihlen; // ip hdr length

   *  while(fp) {

   *   if ((fp->len < 0) || ((count + fp->len) > skb->len)) goto out_invalid;
          //skb: new netw buffer being prepared
   ?    memcpy((ptr + fp->offset), fp->ptr, fp->len);
        // copy from fragment to new buffer

   *    if (count == qp->ihlen) {
   *      skb->dst = dst_clone(fp->skb->dst);
            // add to a 4K cache of routing entries (dst)
            // dst: abbr for destination
   ?      skb->dev = fp->skb->dev;
        }

   *     count += fp->len;
   *     fp = fp->next;
      }

   ?  out_invalid: printk(KERN_ERR,...)

   ...

   extern __inline__
   struct dst_entry * dst_clone(struct dst_entry * dst) {
   *  if (dst)
   *    atomic_inc(&dst->use);
   *  return dst;
   }
  *     count += fp->len;
   *     fp = fp->next;
      }

   ?  out_invalid: printk(KERN_ERR,...)

   ...

   extern __inline__
   struct dst_entry * dst_clone(struct dst_entry * dst) {
   *  if (dst)
   *    atomic_inc(&dst->use);
   *  return dst;
   }

The attacker manufactures fragments with length zero. Explain how the attack
succeeds. What could be the fix? (Hint: add exactly one char in a * line!)


++Keul++



---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030201/ce404a52/attachment.html

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux