Bugtraq mailing list archives
Re: Denial of service attack against tcpdump
From: bretonh () PARANOIA PGCI CA (bretonh () PARANOIA PGCI CA)
Date: Sat, 6 May 2000 15:46:01 -0400
On Sat, 06 May 2000, dr () dursec com wrote:
This all points to another reason to always run tcpdump with "tcpdump -n"
err...
quiet mode as you called it.
...
The moral of the story is that where tcpdump is concerned "-n" is a very nice option.
I agree that "-n" is a very nice option, but I must point out that it will *not* fix this problem. The only way to make tcpdump not print out the domain names in DNS queries and answers is to use the quiet output mode which is the "-q" option (of course, you can modify the sources, but then why wouldn't you fix the bug while you're at it?). The "-n" option is only to stop tcpdump from resolving IP addresses in the IP header. The "-q" option, however, does not print out much information: you don't get to see TCP flags, some protocol options, etc... It is also worth mentionning that this should really be fixed, because even if your tcpdump filter tries not to target UDP datagrams, someone wanting to disable your tcpdump could make it try to display the packet by exploiting your filter expression: let's say your on the lookout for "smurf attacks" and are using a filter containing "ip[19]=255", if someone sends out a DNS query containing a loop to an address like X.X.X.255, tcpdump will try to read the domain name and will fall into an infinite loop. Cheers, Hugo Breton bretonh () pgci ca
Current thread:
- Re: Denial of service attack against tcpdump bretonh () PARANOIA PGCI CA (May 06)
- <Possible follow-ups>
- Re: Denial of service attack against tcpdump Donald McLachlan (May 07)