Bugtraq mailing list archives

Re: IPv4 fragmentation --> The Rose Attack

From: <gandalf () digital net>
Date: Sat, 10 Apr 2004 11:22:01 -0500

Greetings and Salutations:

On 4/10/04 8:23 AM, "Darren Reed" <avalon () caligula anu edu au> wrote:

In some mail from gandalf () digital net, sie said:

I work at many other places than on my own personal computers.  I would like
to know if attacks might affect any number of computers.  I am a computer
professional.


And if so, surely any place where you see "Windows 9*/ME" should bring a
"you need to start planning on upgrading/replacing these with 2K/XP, if
you haven't already." styled response.


Yup.  Been there, did that.  Small businesses have a hard enough time
justifying doing maintenance much less buying new equipment.

Or program with queues that drop packets in a FIFO fashion that have enough
memory that an attack will still allow fragmented packets to be serviced.
You can (at least) make it harder to DoS a machine.


If the time an entry stays in the queue is less than the time required
for reassembly to occur then even a FIFO will not suffice as an adequate
algorithmic countermeasure.  There are solutions to this too, but this
is just to say that it's more complex than "throw this data structure
in to fix."
Darren


Agree 100% that a simple data structure will not fix this problem.  But it
is a start.  I would also say that in this case a "standard" (I.e. RFC) for
fragmentation reassembly should be written to take all of the diverse ways
that fragments are handled and standardize them.  Again I am amazed that
every machine I hit with fragments seems to have a different effect on the
machine than the last machine I tested against.

Ken

---------------------------------------------------------------
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - gandalf () digital net - O- TINLC
WWW Page - http://digital.net/~gandalf/
Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
Trolls crossposts - http://digital.net/~gandalf/trollfaq.html

Current thread:

Re: IPv4 fragmentation --> The Rose Attack Ventsislav Genchev (Apr 07)
- Re: IPv4 fragmentation --> The Rose Attack Darren Reed (Apr 08)
  - Re: IPv4 fragmentation --> The Rose Attack gandalf (Apr 09)
    - Re: IPv4 fragmentation --> The Rose Attack Darren Reed (Apr 09)
    - Re: IPv4 fragmentation --> The Rose Attack gandalf (Apr 12)
    - Re: IPv4 fragmentation --> The Rose Attack Darren Reed (Apr 10)
    - Re: IPv4 fragmentation --> The Rose Attack gandalf (Apr 12)
- RE: IPv4 fragmentation --> The Rose Attack Taylan Develioglu (Apr 12)