lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0404081654590.3716-100000@isec.pl>
Date: Thu, 8 Apr 2004 17:24:57 +0200 (CEST)
From: Paul Starzetz <ihaquer@...c.pl>
To: bugtraq@...urityfocus.com
Cc: gandalf@...ital.net
Subject: Re: IPv4 fragmentation  --> The Rose Attack



gandalf@...ital.net wrote:

>The attack is simple.  Two parts of a fragmented packet are sent to the
>machine being attacked.  The first fragment (payload 32 bytes long) is the
>initial offset zero fragment of a SYN packet.  The final (second) fragment
>of the SYN packet is also 32 bytes in size, but is set to an offset of 64800
>bytes into the datagram.

There is a similar fragmentation attack which works pretty nice for Linux. 
From the source code of ip_fragment.c follows that the worst case is if 
you send small fragments of a datagram beginning from 0 to lets say 60000 
in pieces of 8 bytes each. This will cause the defragmentation code to 
build a linear list of socket buffers. If you now continue to send the last 
fragment, the kernel will cycle over that list over and over, for every 
packet and finally kfree the last fragment and replace it by the new one.

That causes a really nice load... It killed at least a 2.4.25 running on 
an Athlon 850.


-- 
Paul Starzetz
iSEC Security Research
http://isec.pl/




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ