Vulnerability Development mailing list archives

Re: Networking theories

From: Matthew.King () CWO NET AU (Matthew King)
Date: Sat, 6 May 2000 09:21:19 +1000


Hi.

I am not sure how easy something like this would be to put into practise.

Source Quench packets contain the first 64 bytes of the original datagram's
data.. You would have to obtain this information some how, perhaps via
sniffing. If I am wrong, please let me know.. As far as I can tell, this
would be the limiting factor to using this as a type of DoS.

Cya
Matthew

 -----Original Message-----
From:   Jesus Oquendo [mailto:intrusion () ENGINEER COM]
Sent:   Friday, 5 May 2000 8:09 AM
To:     VULN-DEV () SECURITYFOCUS COM
Subject:        Networking theories

While this is not a vuln-dev I figured I would post it
since it is security related. Apologies for the spammage if
this has been addressed before.

Theories:

If source quench packets were sent as a spoofed host, and
sent  to a destination in which someone were trying to slow
down traffic as a form of Denial of Service attack would it
work?

victim.org(spoofed) ---> ICMP(source-quench) --->
router.victim.org

Someone wants to slow down victim.org so would sending
sourch quenches to victim.org's router claiming to be
victim.org stating slow down any traffic coming to
victim.org slow it down?

What about poisining ARP addresses on a network... If
packets were sent to a network from an attacker who somehow
gained MAC addresses, or would that network's router be
able to filter out that type of traffic from coming in
validly? If so then via the access list of protocol type?

Or if the router was not properly configured to determine
that these ARP's are valid would it add these new changes
that the attacker is sending as valid routing information
and update its routing table addresses and or perhaps
damage any relevant information for that network? Spanning
Tree Protocol's, OSPF information, etc...

What about the possibilty of "route poisining" might seem
outrageous but what if complete routing changes were
remotely  forced via some sort of spoofed data such as ARP
floods, Spanning Tree based bogus traffic coming onto the
network... Wouldn't router cost's be jeapordized resulting
in a total nightmare... Ever heard or seen about any
type of DoS like this, or have any links they'd care to e-
mail me on this subject?

Current thread:

Re: Networking theories Matthew King (May 05)
- Re: Networking theories Pavel Kankovsky (May 07)
- <Possible follow-ups>
- Re: Networking theories Matthew King (May 05)
  - Egress checking (was Re: Networking theories) Dick St.Peters (May 05)
  - The Million Dollar Solution Matthew Harmon (May 05)
    - Re: The Million Dollar Solution Ron DuFresne (May 05)
    - Re: The Million Dollar Solution Rob Perry (May 06)
    - Re: The Million Dollar Solution Jeremy Speer (May 06)
    - Very Technical info about The VIRUS repair...but well laid out Robert Riebs (May 06)
    - Administrivia #8704 (I think we should just be friends) Blue Boar (May 06)
    - Re: The Million Dollar Solution (NOT?) Nohican (May 06)

(Thread continues...)