Fragment storm attack

Printable View

February 4th, 2003, 03:14 PM
Networker

Fragment storm attack

Guys,
I'm loojing for information about Fragment Storm Attacks:
- A malicious Hackers generates a storm of fragmented packet to the victim. As a result the victim will consume most of its CPU to reassemble fragmented packets and may be DoSed :( . Thjis attack should work even with a low number of fragmented packets (no needs of DDOS).

To protect my network I'd like to filter packets comming through my CISCO router by droping any fragmented packet. (This router is not directly connected on the internet & the network is designed to avoid any fragmented leagcy streams).

If you have any idea to achieve this goal or any archive from the litterature I'll be thankfull, :)

cheers AOs.
February 4th, 2003, 03:24 PM
Networker

Thanx TAMPABAY,
actually while googling the subject I came acroos that RFC & keep it preciously.
But I'll be happy if some of you AOs have some CISCO configuration experience on the subject and could give some feedback
February 4th, 2003, 03:28 PM
don

Write the below noted acl into your router, and that will take care of it.
access-list 100 deny ip any any fragments
access-list 100 permit ip any any
February 4th, 2003, 04:24 PM
thehorse13

I have a production PIX box that I wish we could use those ACLs on.

As you fellas know, fragmentation has to happen when bouncing across multiple routers and switches. Unfortunately, in a production scenario, fragmentation attacks can happen to Cisco hardware (or any other manufacturer). I also found out that a PIX box cannot handle more than 140 thousand simultanious connections (We can hit as muany as 170K). The box just locks (runs out of RAM) which I have to say is much better than having it overwrite memory space then crash to a wide open firewall.

Anyway, my two cents :-)
February 4th, 2003, 04:27 PM
Networker

Information update

Well guys I've been a bit more deeply into that subject and I found the following information:

Don I am sorry to say that your ACL programming will not prevent the attack from a clever malicious attacker using nmap for the following reasons:

from http://www.cisco.com/warp/public/105/acl_wp.pdf

Quote:

Deny ACL line with L3 information only, and the fragments keyword is present
If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment
offset is checked.
1.
If a packet's FO > 0, the packet is denied.
2.
If a packet's FO = 0, the next ACL line is processed.

from ftp://ftp.rfc-editor.org/in-notes/pd...fc3128.txt.pdf

Quote:

The indirect method relies on the observation that when a TCP
packet is fragmented so as to force "interesting" header fields
out of the zero-offset fragment, there must exist a fragment with
FO equal to 1.
This is normally true where the fragments are genuine fragments,
generally by bona fide software, but it is simply not true that a
hacker forging fragments is forced to produce an FO=1 fragment simply
because (s)he has produced an 8-byte FO=0 fragment . The
vulnerability flows from this false premise.
February 4th, 2003, 04:37 PM
thehorse13

Unfortunately many IDS systems can be fooled in the same mannor. I currently have a few open bugs with Cisco which deals with algorythum circumvention.