Vulnerability Development: Re: --== Fragementation Attacks ==--

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Munir Ahmad,

--Saturday, January 24, 2004, 1:23:45 PM, you wrote to VULN-DEV () SECURITYFOCUS COM:

MA>        I would like to inquire you about Fragmentation Attacks, i m not
MA> fully aware of it, How does an attacker do Fragment Attacks, and can you
MA> give me some idea how to solve the problem concering with Fragmentation
MA> Attacks.

Single IP packet theoretically may be up to 64K and can be sliced during
sending  or  transmission to fit MTU (usually 1500 bytes) to a number of
fragments.  Remote  side  reassembles  packet  from  fragments. It waits
during  reassembly  timeout  (RFC  1122  recommends  60 seconds) for all
fragments   to  appear.  Flooding  remote  host  with  large  number  of
incomplete packets may lead to memory consumption, because all fragments
are  stored  in  kernel  memory during reassembly. Theoretically you can
consume   up   to   bandwidth*reassembly_timeout  if  no  protection  is
implemented  in OS. Protection may be to reduce IP reassembly timeout (5
seconds  is  usually  quite  enough)  and  deny  TCP/SYN,  ICMP  and UDP
fragments  and unused protocols + stateful filtering on router. You must
be careful with few protocols, for example NFS is a source of fragmented
UDP. Fragmented ICMP is required for ping with large packet size.

-- 
~/ZARAZA
Вечная память святому Патрику! (Твен)