Bugtraq mailing list archives
Re: IPv4 fragmentation --> The Rose Attack
From: stanislav shalunov <shalunov () internet2 edu>
Date: 31 Mar 2004 21:21:39 -0500
"Crist J. Clark" <cristjc () comcast net> writes:
IPv6 does have end-station fragmentation, and therefore, it DOES have reassebly, see Section 4.5 of RFC2460. I do not see why an IPv6 implementation would not also potentially be affected.
You're correct. IPv6 is affected as well.
This is YANFA, Yet Another IP Fragmentation Attack. Teardrop, Ping O' Death, NewTear, Boink, yada-yada. Some have exploited bugs in reassembly code (over lapping frags, >65535-byte packets, etc.) and others, like this, are flat out resource exhaustion DoSes.
What you list above is, to an extent, different from this attack. While with teardrop et al. a specific bug is exploited and it is quite clear how to fix the bug so that the attack no longer works, this attack stems from the very requirement to reassemble packets. For IPv6, one is to keep fragments for 60 seconds. For IPv4, there's no specific timeout, but 15 to 255 seconds are mentioned. In other words, regardless of IP version, this technique allows an attacker to lock tens of kilobytes of kernel memory for tens of seconds by sending two small packets. This is an order to two orders of magnitude less powerful than TCP-based attacks that allow an attacker to lock tens of kilobytes of kernel memory for tens of minutes by sending two small packets. With TCP-based attacks, a DSL user can use up all memory of a server [1]. With this, more than T1 worth of capacity is required to keep a server's memory locked up.
The IP stack needs to be sane about how many datagrams it will try to reassemble at once.
Using a direct memory limit would seem a preferable strategy (combined with using data structures that don't need to allocate 64kB just to hold two tiny fragments). [1] Assume 128B for two packets, 128kb/s uplink, 64kB TCP window size on the server, and 500-second timeout; then we have 125 hits per second, taking out 64kB each for 500s. That's 4GB of kernel memory on the server. -- Stanislav Shalunov http://www.internet2.edu/~shalunov/
Current thread:
- Re: IPv4 fragmentation --> The Rose Attack Crist J. Clark (Mar 31)
- Re: IPv4 fragmentation --> The Rose Attack stanislav shalunov (Apr 01)
- <Possible follow-ups>
- Re: IPv4 fragmentation --> The Rose Attack Chris Brenton (Apr 01)
- Re: IPv4 fragmentation --> The Rose Attack Paul Starzetz (Apr 08)