Bugtraq mailing list archives

Re: Denial of Service Attacks INFO

From: reschly () ARL MIL (Robert J. Reschly Jr.)
Date: Thu, 23 May 1996 11:21:13 EDT

UDP Bomb - By sending a UDP packet with incorrect information in the
header, some Sun-OS 4.1.3 Unix boxes will panic and then reboot.


   The problem was not limited to UDP.  We had early production models
of the Xerox Encryption Units (XEU), devices which would eat an Ethernet
framed IP packet and encrypt only the Data portion of the Ethernet frame
for secure transmission to another XEU.  The early versions of this box
left the Ethernet Length/Type field alone.  When the XEU encrypted a
broadcast packet, all machines on the wire would receive the Ethernet
frame, look at the Length/Type field and hand the packet off to IP for
further processing.  Since all the Ethernet frame Data (i.e. the entire
IP packet) was scrambled, attempting to process this as IP data was,
umm.... interesting (really tested the packet handling and validation
code).  The Suns (running 4.1.1 or 4.1.3 at the time, I cannot remember
which), paniced.

   After we showed Xerox the error of their ways :-) Xerox applied for
and received an Ethernet Length/Type identifier for XEU encrypted
Ethernet frames, and they modified their boxes to use it.  The original
Length/Type code was copied "inside" the data portion of the encrypted
Ethernet frame and the XEU could either fragment Ethernet frames which
became too long (already necessary due to the encryption process), or
the source host MTU could be cranked down to prevent this.  We tended
to do the latter because the XEU (and all similar boxes, btw) are a real
bottleneck and it was faster in the long run to send a few more slightly
shorter IP packets than it was to process two encrypted Ethernet frames
for each IP packet.

                                Idly,
                                   Bob
-------
U.S. Army Research Laboratory / Advanced Simulation and High Performance
Computing Directorate / High Performance Computing Division / Computing
Technologies Branch / Advanced Development Team / Aberdeen Proving Ground,
MD  21005-5067 / ATTN: AMSRL-SC-CC (Reschly) // e-mail:reschly () ARL MIL //
Voice: (410)278-8612(VM)  FAX: (410)278-5077  DSN:298-  FTS:939-  APG, MD ofc
Voice: (703)812-8205      FAX: (703)812-9701         HPCMO Alexandria, VA ofc

****  For a good time, call: (303)499-7111.   Seriously!  ****

Current thread:

Is _your_ Netscape under remote control, (continued)
- - Is _your_ Netscape under remote control martinh () mailhost emap co uk (May 24)
    - Re: Is _your_ Netscape under remote control Chris Burris (May 24)
    - CIAC Bulletin G-25: SUN statd Program Vulnerability David Crawford (May 24)
    - Re: Is _your_ Netscape under remote control Phillip Wherry (May 24)
    - Re: Is _your_ Netscape under remote control Dave Taylor (May 23)
    - Re: Is _your_ Netscape under remote control Darrell Fuhriman (May 24)
    - Re: Is _your_ Netscape under remote control Dave Horsfall (May 25)
    - Re: Is _your_ Netscape under remote control Wolfgang Ley (May 27)
    - Re: Is _your_ Netscape under remote control Sven Neuhaus (May 24)
    - Re: Is _your_ Netscape under remote control Roger Espel Llima (May 24)
- Re: Denial of Service Attacks INFO Robert J. Reschly Jr. (May 23)