[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv4 fragmentation --> The Rose Attack

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: IPv4 fragmentation --> The Rose Attack
From: Gandalf The White <gandalf@xxxxxxxxxxx>
Date: Sun, 26 Sep 2004 23:28:39 -0500

Greetings and Salutations:

While this discussion pertains to IPv4, IPv6 also allows fragmentation and I
suspect IPv6 will also be affected by this attack.

This is an extension of the "Rose Attack" previously posted to the Bugtraq
mailing list.  I have decided to call this attack the "New Dawn attack" to
differentiate this attack from the original "Rose Attack".

The following explanation is currently up to date and will be updated as
necessary:
http://digital.net/~gandalf/Rose_Frag_Attack_Explained.htm
http://digital.net/~gandalf/Rose_Frag_Attack_Explained.txt

After I released the initial Rose Attack, Paul Starzetz mentioned that you
can also cause high CPU utilization using a variation of this attack.  The
high CPU is caused by sending a large number of small fragments (with
fragments missing) then sending the final fragment repetitively.  Each time
the last fragment is sent the CPU tries to reassemble the entire fragment
with the associated allocate / free memory for the size of the fragment.

Of the machines I have had access to, this attack has caused any number of
the following problems:
1) Causes the CPU to spike, thus exhausting processor resources.
2) Legitimate fragmented packets are dropped intermittently (unfragmented
packets get through fine)
3) Legitimate fragmented packets are no longer accepted by the machine under
attack (unfragmented packets get through fine) until the fragmentation time
exceeded timers expire.

The following devices were tested.  Some showed some or all of the above
Symptoms, Mac OS/X and Mandrake 10 did not show any problems.  See the above
Rose_Frag_Attack_Explained.htm file for a table of the tests that were run
(bottom of the file):
1) Microsoft Windows 2000
2) Mandrake Linux 9.2
3) Mandrake Linux 10
4) Microsoft Windows XP
5) Mac OS/X V10.3.5

The following vendors have been notified of this condition prior to the
release of this announcement:
1) Microsoft
2) Cisco
3) Apple

Apple has provided a software fix:
CVE-IDs: CAN-2004-0744

Mandrake 10 / Linux Kernel v2.6 is not vulnerable.

Software implementation of the New Dawn Attack:
http://digital.net/~gandalf/NewDawn.c
http://digital.net/~gandalf/NewDawn2.c
http://digital.net/~gandalf/NewDawn3.c
http://digital.net/~gandalf/NewDawn4.c

You will need NetW(ib)(ox)(ag) for NewDawn3 and NewDawn4:
http://www.laurentconstantin.com/en/netw/
I used:
http://www.laurentconstantin.com/common/netw/download/v5/netw-ib-ox-ag-5.24.
0.tgz

The suggested software solution to this attack is to peruse the Linux Kernel
v2.6.8-rc4 /net/ipv4/ip_fragment.c code.  They have done a pretty good job
(with the exception of the small fragment buffer IMHO) of keeping the above
problems to a minimum.

If you have any questions please ask.

Ken

------------------------------------------------------------------
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - gandalf@xxxxxxxxxxx - O- TINLC
WWW Page - http://gandalf.home.digital.net/
Trace E-Mail forgery - http://gandalf.home.digital.net/spamfaq.html
Trolls crossposts  - http://gandalf.home.digital.net/trollfaq.html

Prev by Date: Re: cdrecord local root exploit
Next by Date: Re:[3] Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issue
Previous by thread: New Macromedia Security Zone Bulletins Posted
Next by thread: Re: HTTP Response Splitting and SQL injection in megabbs forum
Index(es):
- Date
- Thread