Re: IPv4 fragmentation --> The Rose Attack
Greetings and Salutations:
On 4/8/04 1:26 PM, "Darren Reed" <avalon@xxxxxxxxxxxxxxxxxxx> wrote:
> In some mail from Ventsislav Genchev, sie said:
>>
>> I've tested the attack on 4 machines..
>> The first two were running windows 98 SE with all patches and service
>> packs... the CPU stuck the 100% as soon as the attack started..
>>
> Is there any real point in testing Windows 9*, still ?
> Does anyone care, including Microsoft, enough to want it fixed rather
> than get people to upgrade to something that is better when it comes
> to security, overall ?
>From my experience in the real world, specifically with Windows 98 (and I
suspect ME) I would say that yes we should care. You would probably be
frightened at the number of people still running Windows 9* and ME.
With a OS like Linux most people are *PROBABLY* on a newest version, but I
bet you have companies who had a consultant parachute in, set up the Linux
box and then leave. Nobody touches the box because they are afraid to.
Also:
Snort (IDS) does not detect this as an attack. Please note that any Snort
rule should allow for two "small" fragments making a "large" buffer. The
attack I published can easily be modified with different size packets and
the end fragment put in different areas of the fragment (at the end, near
the end, etc.).
If anybody is able to "attack" any other machines please tell me the
results, I am curious. I have come up with the following:
MoDem speeds:
1) Microsoft 2000 - 200 packets in less than 2 minutes completely shuts off
legitimate fragmented packets
2) PIX - 200 packets in less than 5 to 20 seconds completely shuts off
fragmentation
LAN speeds:
1) LINUX running on a 450 MHz (I know, very slow but it is all I had) high
CPU utilization, some missed packets at ?400 Kbits / sec? (I have to run
this test again)
2) Macintosh G4 dual proc - some missed pings starting at about 110 Kbits /
sec (no / very little CPU utilization increase)
Mike from the FreeBSD mailing list has told me that there may or may not be
very much code sharing between the Mac OSX and FreeBSD, so the above tests
may not apply to FreeBSD.
3) Cisco 2621XM router - 20% to 30% utilization at 600KBits / second
There is an article discussing the fragment attack from IDefense that claims
that a Cisco 675 router had to be rebooted !?!??? The article:
http://www.eweek.com/print_article/0,1761,a=123491,00.asp
Ken
---------------------------------------------------------------
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - gandalf@xxxxxxxxxxx - O- TINLC
WWW Page - http://digital.net/~gandalf/
Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
Trolls crossposts - http://digital.net/~gandalf/trollfaq.html