Re: Denial of service attack against tcpdump

[bretonh () PARANOIA PGCI CA (bretonh () PARANOIA PGCI CA)]

On Sat, 06 May 2000, dr () dursec com wrote:

> This all points to another reason to always run tcpdump with "tcpdump -n"
err...
> quiet  mode as you called it.

...

> The moral of the story is that where tcpdump is concerned "-n" is
> a very nice option.

I agree that "-n" is a very nice option, but I must point out that it
will *not* fix this problem.  The only way to make tcpdump not print out
the domain names in DNS queries and answers is to use the quiet output
mode which is the "-q" option (of course, you can modify the sources, but
then why wouldn't you fix the bug while you're at it?).  The "-n" option
is only to stop tcpdump from resolving IP addresses in the IP header.

The "-q" option, however, does not print out much information: you don't
get to see TCP flags, some protocol options, etc...  It is also worth
mentionning that this should really be fixed, because even if your tcpdump
filter tries not to target UDP datagrams, someone wanting to disable your
tcpdump could make it try to display the packet by exploiting your filter
expression: let's say your on the lookout for "smurf attacks" and are
using a filter containing "ip[19]=255", if someone sends out a DNS query
containing a loop to an address like X.X.X.255, tcpdump will try to read
the domain name and will fall into an infinite loop.

Cheers,

Hugo Breton
bretonh () pgci ca