[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <86r7v8n5ks.fsf@abel.internet2.edu>
Date: 31 Mar 2004 15:07:31 -0500
From: stanislav shalunov <shalunov@...ernet2.edu>
To: bugtraq@...urityfocus.com
Subject: Re: IPv4 fragmentation --> The Rose Attack
<gandalf@...ital.net> writes:
> While this discussion pertains to IPv4, IPv6 also allows fragmentation and I
> suspect IPv6 will also be affected by this attack.
IPv6 does not have en-route fragmentation and, therefore, has no
reassembly. IPv6 is not affected.
Interesting attack. Various standards require behaviors that lead to
unlimited memory usage. For example, my netkill attack shows how to
cause a TCP stack to use all memory that is available to it. The Rose
attack doesn't even use TCP to achieve a similar effect.
A mitigating strategy would be to give the IPv4 reassembly code a
certain amount of memory and, when that memory is filled, drop random
packets that are being reassembled. The data structures used to hold
fragments must allow to only hold those parts that have already
arrived. This would still allow attacks on the reassembly facility
itself (an attacker could keep the reassembly memory full and cause
the majority of legitimate fragmented packets to be dropped by the
receiver), but at least other parts of the stack and the OS would not
suffer.
--
Stanislav Shalunov http://www.internet2.edu/~shalunov/
Powered by blists - more mailing lists