From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Mon Jan 26 2004 - 11:21:13 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Munir Ahmad,

--Saturday, January 24, 2004, 1:23:45 PM, you wrote to VULN-DEVSECURITYFOCUS.COM:

MA> I would like to inquire you about Fragmentation Attacks, i m not
MA> fully aware of it, How does an attacker do Fragment Attacks, and can you
MA> give me some idea how to solve the problem concering with Fragmentation
MA> Attacks.

Single IP packet theoretically may be up to 64K and can be sliced during
sending or transmission to fit MTU (usually 1500 bytes) to a number of
fragments. Remote side reassembles packet from fragments. It waits
during reassembly timeout (RFC 1122 recommends 60 seconds) for all
fragments to appear. Flooding remote host with large number of
incomplete packets may lead to memory consumption, because all fragments
are stored in kernel memory during reassembly. Theoretically you can
consume up to bandwidth*reassembly_timeout if no protection is
implemented in OS. Protection may be to reduce IP reassembly timeout (5
seconds is usually quite enough) and deny TCP/SYN, ICMP and UDP
fragments and unused protocols + stateful filtering on router. You must
be careful with few protocols, for example NFS is a source of fragmented
UDP. Fragmented ICMP is required for ping with large packet size.

--
~/ZARAZA
Âå÷íàÿ ïàìÿòü ñâÿòîìó Ïàòðèêó! (Òâåí)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]