IPv4 fragmentation --> The Rose Attack

From: Gandalf The White (gandalf_at_digital.net)
Date: 09/27/04

  • Next message: Yoav Nir: "RE: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes"
    Date: Sun, 26 Sep 2004 23:28:39 -0500
    To: <bugtraq@securityfocus.com>
    
    

    Greetings and Salutations:

    While this discussion pertains to IPv4, IPv6 also allows fragmentation and I
    suspect IPv6 will also be affected by this attack.

    This is an extension of the "Rose Attack" previously posted to the Bugtraq
    mailing list. I have decided to call this attack the "New Dawn attack" to
    differentiate this attack from the original "Rose Attack".

    The following explanation is currently up to date and will be updated as
    necessary:
    http://digital.net/~gandalf/Rose_Frag_Attack_Explained.htm
    http://digital.net/~gandalf/Rose_Frag_Attack_Explained.txt

    After I released the initial Rose Attack, Paul Starzetz mentioned that you
    can also cause high CPU utilization using a variation of this attack. The
    high CPU is caused by sending a large number of small fragments (with
    fragments missing) then sending the final fragment repetitively. Each time
    the last fragment is sent the CPU tries to reassemble the entire fragment
    with the associated allocate / free memory for the size of the fragment.

    Of the machines I have had access to, this attack has caused any number of
    the following problems:
    1) Causes the CPU to spike, thus exhausting processor resources.
    2) Legitimate fragmented packets are dropped intermittently (unfragmented
    packets get through fine)
    3) Legitimate fragmented packets are no longer accepted by the machine under
    attack (unfragmented packets get through fine) until the fragmentation time
    exceeded timers expire.

    The following devices were tested. Some showed some or all of the above
    Symptoms, Mac OS/X and Mandrake 10 did not show any problems. See the above
    Rose_Frag_Attack_Explained.htm file for a table of the tests that were run
    (bottom of the file):
    1) Microsoft Windows 2000
    2) Mandrake Linux 9.2
    3) Mandrake Linux 10
    4) Microsoft Windows XP
    5) Mac OS/X V10.3.5

    The following vendors have been notified of this condition prior to the
    release of this announcement:
    1) Microsoft
    2) Cisco
    3) Apple

    Apple has provided a software fix:
    CVE-IDs: CAN-2004-0744

    Mandrake 10 / Linux Kernel v2.6 is not vulnerable.

    Software implementation of the New Dawn Attack:
    http://digital.net/~gandalf/NewDawn.c
    http://digital.net/~gandalf/NewDawn2.c
    http://digital.net/~gandalf/NewDawn3.c
    http://digital.net/~gandalf/NewDawn4.c

    You will need NetW(ib)(ox)(ag) for NewDawn3 and NewDawn4:
    http://www.laurentconstantin.com/en/netw/
    I used:
    http://www.laurentconstantin.com/common/netw/download/v5/netw-ib-ox-ag-5.24.
    0.tgz

    The suggested software solution to this attack is to peruse the Linux Kernel
    v2.6.8-rc4 /net/ipv4/ip_fragment.c code. They have done a pretty good job
    (with the exception of the small fragment buffer IMHO) of keeping the above
    problems to a minimum.

    If you have any questions please ask.

    Ken

    ------------------------------------------------------------------
    Do not meddle in the affairs of wizards for they are subtle and
    quick to anger.
    Ken Hollis - Gandalf The White - gandalf@digital.net - O- TINLC
    WWW Page - http://gandalf.home.digital.net/
    Trace E-Mail forgery - http://gandalf.home.digital.net/spamfaq.html
    Trolls crossposts - http://gandalf.home.digital.net/trollfaq.html


  • Next message: Yoav Nir: "RE: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes"

    Relevant Pages

    • Re: Fwd: [IPv4 fragmentation --> The Rose Attack]
      ... Which limits such an attack to 800 packets overall and 16 fragments ... The first fragment is the ... > dropped at high packet rates if there aren't enough buffers allocated. ...
      (freebsd-net)
    • [Full-Disclosure] A new TCP/IP blind data injection technique?
      ... Blind spoofing, hijacking and data insertion into TCP/IP sessions, ... Closing all the attack venues by deploying "proper" cryptography is not ... Bob's packet exceeds the MTU somewhere en route (be it on some WAN ... The other fragment of Bob's packet carry the remaining section ...
      (Full-Disclosure)
    • A new TCP/IP blind data injection technique?
      ... Blind spoofing, hijacking and data insertion into TCP/IP sessions, ... Closing all the attack venues by deploying "proper" cryptography is not ... Bob's packet exceeds the MTU somewhere en route (be it on some WAN ... The other fragment of Bob's packet carry the remaining section ...
      (Bugtraq)
    • Fwd: [IPv4 fragmentation --> The Rose Attack]
      ... IPv4 fragmentation --> The Rose Attack ... The first fragment is the ... The devices accept the packets no matter what port is used. ... Allocate X*64k buffers upon NIC card initialization. ...
      (freebsd-net)
    • IPv4 fragmentation --> The Rose Attack
      ... I have created what I believe is a unique fragmented attack ... The first fragment is the ... The devices accept the packets no matter what port is used. ... Allocate X*64k buffers upon NIC card initialization. ...
      (Bugtraq)