| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 09 Apr 2004 17:59:04 -0500 From: <gandalf@...ital.net> To: Darren Reed <avalon@...igula.anu.edu.au> Cc: BugTraq <bugtraq@...urityfocus.com> Subject: Re: IPv4 fragmentation --> The Rose Attack Greetings and Salutations: On 4/9/04 12:56 PM, "Darren Reed" <avalon@...igula.anu.edu.au> wrote: > In some mail from gandalf@...ital.net, sie said: >> From my experience in the real world, specifically with Windows 98 (and I >> suspect ME) I would say that yes we should care. You would probably be >> frightened at the number of people still running Windows 9* and ME. > > In this particular case, whether someone is running Windows ME/9* is > irrelevant to me - it's a local attack against them that isn't likely > to affect me. I work at many other places than on my own personal computers. I would like to know if attacks might affect any number of computers. I am a computer professional. > Further, most likely all the people who are still using Windows9*/ME > are not reading this, are not likely to ever hear about whether their > PC is vulnerable or understand it if they read about it in the paper. > Hence automatic updates in 2k/XP/... See above. I am betting that there are many computer professionals who would like to know what they are up against when they visit a customers site and see computers "acting funny". > Anyone who assumes that people who use/run Linux automatically run the > latest version of anything has their head in the sand. It just doesn't True. I agree wholeheartedly. >> MoDem speeds: >> 1) Microsoft 2000 - 200 packets in less than 2 minutes completely shuts off >> legitimate fragmented packets >> 2) PIX - 200 packets in less than 5 to 20 seconds completely shuts off >> fragmentation > > Recovery time or isn't there one ? Oops. I missed on this one, good question. All of the numbers I worked with were packets in the amount of time specified. So in windows if you keep a up a continuous stream of 200 packets (2 fragments) in 2 minutes then no legitimate fragmented packets can get through. When you stop the attack the Windows 2000 machine recovers and works normally. If you keep up 200 fragments (not packets as I said) per 5 to 20 seconds against a PIX firewall the same happens. When you stop the device recovers and works normally. Same with the other machines I tested against (obviously not a large sample of machines). Stop sending fragmented packets and they return to normal. > Unless it crashes the whole system, I don't think it's particularly > interesting as most people try and avoid dealing with frgaments, > these days, using PMTU discovery. Again, see my original post. Between cell phones, satellite and other devices fragmentation is needed on the Internet. > In contrast to other algorithms that try and prevent synflooding > (jamming the listen queue with SYN packets), there's no easy way > out here because the target of the attack is not expected to send > any packets back at the "source". All you can seemingly do is play > around with limits and timeouts and things like that to at best > focus the problem. > Darren Or program with queues that drop packets in a FIFO fashion that have enough memory that an attack will still allow fragmented packets to be serviced. You can (at least) make it harder to DoS a machine. Ken --------------------------------------------------------------- Do not meddle in the affairs of wizards for they are subtle and quick to anger. Ken Hollis - Gandalf The White - gandalf@...ital.net - O- TINLC WWW Page - http://digital.net/~gandalf/ Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html Trolls crossposts - http://digital.net/~gandalf/trollfaq.html
Powered by blists - more mailing lists