Re: IPv4 fragmentation --> The Rose Attack
Greetings and Salutations:
On 4/9/04 12:56 PM, "Darren Reed" <avalon@xxxxxxxxxxxxxxxxxxx> wrote:
> In some mail from gandalf@xxxxxxxxxxx, sie said:
>> From my experience in the real world, specifically with Windows 98 (and I
>> suspect ME) I would say that yes we should care. You would probably be
>> frightened at the number of people still running Windows 9* and ME.
>
> In this particular case, whether someone is running Windows ME/9* is
> irrelevant to me - it's a local attack against them that isn't likely
> to affect me.
I work at many other places than on my own personal computers. I would like
to know if attacks might affect any number of computers. I am a computer
professional.
> Further, most likely all the people who are still using Windows9*/ME
> are not reading this, are not likely to ever hear about whether their
> PC is vulnerable or understand it if they read about it in the paper.
> Hence automatic updates in 2k/XP/...
See above. I am betting that there are many computer professionals who
would like to know what they are up against when they visit a customers site
and see computers "acting funny".
> Anyone who assumes that people who use/run Linux automatically run the
> latest version of anything has their head in the sand. It just doesn't
True. I agree wholeheartedly.
>> MoDem speeds:
>> 1) Microsoft 2000 - 200 packets in less than 2 minutes completely shuts off
>> legitimate fragmented packets
>> 2) PIX - 200 packets in less than 5 to 20 seconds completely shuts off
>> fragmentation
>
> Recovery time or isn't there one ?
Oops. I missed on this one, good question.
All of the numbers I worked with were packets in the amount of time
specified. So in windows if you keep a up a continuous stream of 200
packets (2 fragments) in 2 minutes then no legitimate fragmented packets can
get through. When you stop the attack the Windows 2000 machine recovers and
works normally.
If you keep up 200 fragments (not packets as I said) per 5 to 20 seconds
against a PIX firewall the same happens. When you stop the device recovers
and works normally.
Same with the other machines I tested against (obviously not a large sample
of machines). Stop sending fragmented packets and they return to normal.
> Unless it crashes the whole system, I don't think it's particularly
> interesting as most people try and avoid dealing with frgaments,
> these days, using PMTU discovery.
Again, see my original post. Between cell phones, satellite and other
devices fragmentation is needed on the Internet.
> In contrast to other algorithms that try and prevent synflooding
> (jamming the listen queue with SYN packets), there's no easy way
> out here because the target of the attack is not expected to send
> any packets back at the "source". All you can seemingly do is play
> around with limits and timeouts and things like that to at best
> focus the problem.
> Darren
Or program with queues that drop packets in a FIFO fashion that have enough
memory that an attack will still allow fragmented packets to be serviced.
You can (at least) make it harder to DoS a machine.
Ken
---------------------------------------------------------------
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - gandalf@xxxxxxxxxxx - O- TINLC
WWW Page - http://digital.net/~gandalf/
Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
Trolls crossposts - http://digital.net/~gandalf/trollfaq.html