Re: Networking theories

[Matthew.King () CWO NET AU (Matthew King)]

Hi.

This is true.. Does anyone know which implementations of IP actually check
the contents of a Source Quench ICMP packet? It would be interesting to
know, perhaps some testing could be done with various OS's to see which are
actually susceptible to this kind of DoS?

Cya
Matthew

Matthew King.
Network Engineer, Cable & Wireless Optus.

 -----Original Message-----
From:   Pavel Kankovsky [mailto:peak () ARGO TROJA MFF CUNI CZ]
Sent:   Sunday, 7 May 2000 11:12 PM
To:     VULN-DEV () SECURITYFOCUS COM
Subject:        Re: Networking theories

On Sat, 6 May 2000, Matthew King wrote:

> Source Quench packets contain the first 64 bytes of the original
datagram's
> data.. You would have to obtain this information some how, perhaps via
> sniffing. If I am wrong, please let me know.. As far as I can tell, this
> would be the limiting factor to using this as a type of DoS.

Unless the destination host checks those 64 bytes thoroughly, everything
you need is to guess the source and the destination port number (moreover,
it is unlikely you will be stopped by egress filtering if you spoof the
contents of an ICMP message only rather than its real source address that
does not really matter). If one of the numbers is known (i.e. you want to
attack a specific service), you need to guess one number out of 2^16. This
is quite close to a feasible attack even when you have no clue what the
other port number might be...OTOH, the flood of 2^16 datagrams per 50+
bytes (3+ MB of data) would probably have the same effect even if
none of them was a Source Quench matching an actual connection.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."