Bugtraq mailing list archives
Re: IPv4 fragmentation --> The Rose Attack
From: Paul Starzetz <ihaquer () isec pl>
Date: Thu, 8 Apr 2004 17:24:57 +0200 (CEST)
gandalf () digital net wrote:
The attack is simple. Two parts of a fragmented packet are sent to the machine being attacked. The first fragment (payload 32 bytes long) is the initial offset zero fragment of a SYN packet. The final (second) fragment of the SYN packet is also 32 bytes in size, but is set to an offset of 64800 bytes into the datagram.
There is a similar fragmentation attack which works pretty nice for Linux.
From the source code of ip_fragment.c follows that the worst case is if
you send small fragments of a datagram beginning from 0 to lets say 60000 in pieces of 8 bytes each. This will cause the defragmentation code to build a linear list of socket buffers. If you now continue to send the last fragment, the kernel will cycle over that list over and over, for every packet and finally kfree the last fragment and replace it by the new one. That causes a really nice load... It killed at least a 2.4.25 running on an Athlon 850. -- Paul Starzetz iSEC Security Research http://isec.pl/
Current thread:
- Re: IPv4 fragmentation --> The Rose Attack Crist J. Clark (Mar 31)
- Re: IPv4 fragmentation --> The Rose Attack stanislav shalunov (Apr 01)
- <Possible follow-ups>
- Re: IPv4 fragmentation --> The Rose Attack Chris Brenton (Apr 01)
- Re: IPv4 fragmentation --> The Rose Attack Paul Starzetz (Apr 08)