netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Fragmentation Attack

from [Gandalf The White] [Permanent Link][Original]
To: "David S. Miller" <davem@xxxxxxxxxx>
Subject: Re: Fragmentation Attack
From: Gandalf The White <gandalf@xxxxxxxxxxx>
Date: Sun, 08 Feb 2004 15:12:36 -0600
Cc: Linux IPStack <netdev@xxxxxxxxxxx>
In-reply-to: <20040208124528.2c667378.davem@redhat.com>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Microsoft-Entourage/10.1.4.030702.0 
Greetings and Salutations:

On 2/8/04 2:45 PM, "David S. Miller" <davem@xxxxxxxxxx> wrote:
> On Sat, 07 Feb 2004 12:00:42 -0600
> Gandalf The White <gandalf@xxxxxxxxxxx> wrote:
>> The requirements of the attack (from the perspective of the paper I wrote)
>> was that you had taken over 20 cable modem computers.  From this viewpoint
>> this could (of course) produce the required number of packets IMHO.
>> 
>> Of course you could also clog up the bandwidth of just about any destination
>> network with this requirement, but that is a different DoS.
> Yes, but this very fact makes the "DoS" much much less interesting.
> If I can clog your link anyways with arbitrary traffic, who cares
> what it does as a second order effect, the machine is made unreachable
> and unusable either way.

Exactly.  So I was discounting the "clog your connection" attack.  What I
was looking at is if someone has a fast machine that they can send a
regulated amount of packets to and test out the fragment attack that would
be good.  I suspect that this attack would still spike the CPU on a machine
at a relatively low (a few hundred) packets per second rate.  On a web
server or other Internet Facing machine that has a decent load this could be
enough CPU overhead to create a DoS.

> Also, these half-complete ICMP packets are really super easy to create
> firewall rules for to block them at ingress of a major site.

The attack has ICMP, UDP and TCP.  If you were seeing a specific signature
over and over again then I agree that it might be easy to block (depending
on the firewall) ... But ... If someone were sending fragments destined for
port 80 to your web server I don't see how you could differentiate between
"real" fragments going to the web server and faked fragmentation requests.


Ken

---------------------------------------------------------------
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - gandalf@xxxxxxxxxxx - O- TINLC
WWW Page - http://digital.net/~gandalf/
Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
Trolls crossposts - http://digital.net/~gandalf/trollfaq.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [PATCH][IPV6][NDISC] unify ipv6 output routine, David S. Miller
Next by Date:  Re: Change proxy_arp to respond only for valid neighbours, David S. Miller
Previous by Thread:  Re: Fragmentation Attack, David S. Miller
Next by Thread:  Re: Fragmentation Attack, David S. Miller
Indexes:  [Date] [Thread] [Top] [All Lists]