Denial of Service Attack in Linux !!!

[amol wanjari <keul_vrce () yahoo com>]

hi folks , 

Can DoS attacks be taken care of thru cryptographic techniques?  If
they can be (in some cases? or in all cases?), give one example of
your answer. If they cannot be (in some cases? or in all cases?),
attempt a characterization of when/why cryptographic techniques are
not useful.

Linux 2.1.89 to 2.2.3 had a DoS attack based on the foll code in
/usr/src/linux/net/ipv4/ip_fragment.c: (The * lines are essential to
the attack & the ? lines can be ignored if you desire.)


   ...

   // Copy data portions of all fragments (list *qp) into the new buffer (*ptr)

   *  fp = qp->fragments;// start of fragments
   *  count = qp->ihlen; // ip hdr length

   *  while(fp) {

   *   if ((fp->len < 0) || ((count + fp->len) > skb->len)) goto out_invalid;
          //skb: new netw buffer being prepared
   ?    memcpy((ptr + fp->offset), fp->ptr, fp->len);
        // copy from fragment to new buffer

   *    if (count == qp->ihlen) {
   *      skb->dst = dst_clone(fp->skb->dst);
            // add to a 4K cache of routing entries (dst)
            // dst: abbr for destination
   ?      skb->dev = fp->skb->dev;
        }

   *     count += fp->len;
   *     fp = fp->next;
      }

   ?  out_invalid: printk(KERN_ERR,...)

   ...

   extern __inline__
   struct dst_entry * dst_clone(struct dst_entry * dst) {
   *  if (dst)
   *    atomic_inc(&dst->use);
   *  return dst;
   }
  *     count += fp->len;
   *     fp = fp->next;
      }

   ?  out_invalid: printk(KERN_ERR,...)

   ...

   extern __inline__
   struct dst_entry * dst_clone(struct dst_entry * dst) {
   *  if (dst)
   *    atomic_inc(&dst->use);
   *  return dst;
   }

The attacker manufactures fragments with length zero. Explain how the attack
succeeds. What could be the fix? (Hint: add exactly one char in a * line!)


++Keul++



---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now