Vulnerability Development mailing list archives
Re: --== Fragementation Attacks ==--
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Mon, 26 Jan 2004 20:21:13 +0300
Dear Munir Ahmad, --Saturday, January 24, 2004, 1:23:45 PM, you wrote to VULN-DEV () SECURITYFOCUS COM: MA> I would like to inquire you about Fragmentation Attacks, i m not MA> fully aware of it, How does an attacker do Fragment Attacks, and can you MA> give me some idea how to solve the problem concering with Fragmentation MA> Attacks. Single IP packet theoretically may be up to 64K and can be sliced during sending or transmission to fit MTU (usually 1500 bytes) to a number of fragments. Remote side reassembles packet from fragments. It waits during reassembly timeout (RFC 1122 recommends 60 seconds) for all fragments to appear. Flooding remote host with large number of incomplete packets may lead to memory consumption, because all fragments are stored in kernel memory during reassembly. Theoretically you can consume up to bandwidth*reassembly_timeout if no protection is implemented in OS. Protection may be to reduce IP reassembly timeout (5 seconds is usually quite enough) and deny TCP/SYN, ICMP and UDP fragments and unused protocols + stateful filtering on router. You must be careful with few protocols, for example NFS is a source of fragmented UDP. Fragmented ICMP is required for ping with large packet size. -- ~/ZARAZA Вечная память святому Патрику! (Твен)
Current thread:
- --== Fragementation Attacks ==-- Munir Ahmad (Jan 26)
- Re: --== Fragementation Attacks ==-- 3APA3A (Jan 26)
- <Possible follow-ups>
- Re: --== Fragementation Attacks ==-- Douglas Santos (Jan 26)