OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Windows DoS code (jolt2.c)
From: David LeBlanc (dleblancMINDSPRING.COM)
Date: Fri May 26 2000 - 12:24:59 CDT

At 10:16 AM 5/26/00 -0600, you wrote:
>Essentially, the Jolt2 DoS is done by sending identical fragmented IP
>packets to the target at the rate of
>approximately 150 packets per second.

Look at the code. The code first builds the packet, then sits in:

while(1)
{
  sendto(....);
}

This thing will throw packets as fast as a machine is capable of tossing
them onto the network - that can easily run up to 2400 packets/sec.
Sending packets (any packet, even if it is normal) that rapidly can cause
severe network malfunctions. For example, if you do this on a switched
network, the collision rate will go through the roof, and if you have a
good switch, it will take you off the network.

Additionally, routers may be rated in terms of bandwidth, but in reality,
packets/sec are typically the rate-limiting factor. This isn't normally
advertised, but it is a fact of life - try scatter pinging a remote network
across a router, then play with the packet size and packet rate - you'll
start missing hosts once the packet rate goes too high.

I've been through the school of hard knocks on this one - asked one of my
programmers at ISS to make the ping sweep faster - he did, and we were
knocking over routers, having switches toss us off the network. Spent
quite a while de-tuning it until it didn't cause problems and gave reliable
results.

Moral of the story is that BEFORE you go playing with stuff like this, you
better be really sure that you have permission not just from the target,
but from everyone in-between. It tends to make people really unhappy when
you knock over routers, suck up all the bandwidth, and cause all sorts of
Bad Things to happen. If it costs them $$, they might be mad enough to
sue, go find the FBI, etc.

>The contents of the packet do
>not appear to matter greatly. When RAZOR Team discovered this
>problem, their tests where done with ICMP packets only but they do
>suspect that the problem is not specific to ICMP.

The FAQ put out by my friends over in securemicrosoft.com is very
informative, and can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-029.asp It
specifically states that the attack is independent of upper-level protocol.

>RAZOR suggests filtering fragmented IP packets at the router and of
>course Microsoft has released a hotfix.

Note that dropping all fragments could have drawbacks, depending on what
you are doing. For example, NFS uses UDP packets that typically fragment.
OTOH, TCP packets are rarely fragmented, so if you are protecting a web
server, it is running on TCP, so dropping fragments is probably smart.

The best thing to do is just apply the hotfix.

David LeBlanc
dleblancmindspring.com

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net