Fragment Attack
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Fragment Attack

  1. #1
    Senior Member
    Join Date
    Dec 2002
    Posts
    144

    Fragment Attack

    blocked an attempt to attack your machine using a "Fragment" attack. The remote address associated with the traffic was 211.26.83.25. The remote port was 33827. The local port on your PC was 30587. The network adapter for the traffic was "Dial-Up Adapter".

    The binary data contained in the packet was "44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 00 ed 8a b5 00 8a 6a 11 7b a1 d3 1a 53 19 cb 7d 57 6e 84 23 77 7b 0d 6d 93 c0 4c 59 9f 11 ad 48 4f ef d7 6a bc 95 b3 2f a8 81 af 61 2b 90 35 68 34 34 20 34 35 20 35 33 20 35 34 20 30 30 20 30 30 20 32 30 20 35 33 20 35 32 20 34 33 20 30 30 20 30 30 20 30 38 20 30 30 20 34 35 20 30 30 20 30 30 20 65 64 20 38 61 20 62 35 20 30 30 20 38 61 20 36 61 20 31 31 20 37 62 20 61 31 20 64 33 20 31 61 20 35 33 20 31 39 20 63 62 20 37 64 20 35 37 20 36 65 20 38 34 20 32 03

    The binary data contained in the packet was "%s".".

    it state that this is a fragment attack..what is a fragment attack?
    and what does the IP belong to?for sg i know it is 203...211 is from which country?

    McAfee Firewall blocked an attempt to attack your machine using a "Newtear" attack. The remote address associated with the traffic was 211.26.83.25. The remote port was 13313. The local port on your PC was 20740. The network adapter for the traffic was "Dial-Up Adapter".

    The binary data contained in the packet was "44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 02 3c 90 b5 20 45 6a 11 54 97 d3 1a 53 19 cb 7d 57 6e 34 01 51 04 0e d9 aa 25 61 96 0e aa eb 4c 60 ac 82 89 3d 5c 60 70 ab d1 04 8f 76 51 e0 5d 34 34 20 34 35 20 35 33 20 35 34 20 30 30 20 30 30 20 32 30 20 35 33 20 35 32 20 34 33 20 30 30 20 30 30 20 30 38 20 30 30 20 34 35 20 30 30 20 30 32 20 33 63 20 39 30 20 62 35 20 32 30 20 34 35 20 36 61 20 31 31 20 35 34 20 39 37 20 64 33 20 31 61 20 35 33 20 31 39 20 63 62 20 37 64 20 35 37 20 36 65 20 33 34 20 30 03

    The binary data contained in the packet was "%s".".

    i also got the Newtear attack from the same IP...what is a Newtear Attack?
    BlAcKiE
    GearBlitz

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Looks like a DoS attack.

    Teardrop: This attack uses fragmented UDP packets. The first fragment is fine, but the second packet overwrites part of the first fragmented packet. This results in a memory error and the system crashes.

    Teardop definition: Taken from here.

    To stop attacks... if you are on dial up... simply sign off and then back on. You will be assigned a new IP and they will have to track you down again... Or the poor person who gets your IP next will be the victim.

    Since your firewall is blocking it... I wouldn't worry too much.

    BTW: Here is some info regarding that IP you provided. You may want to report it to this ISP. If you include your logs it helps them more. Of course, only include the logs that are of importance to them...

    GeekTools Whois Proxy v5.0a7 Ready.
    Checking access for 205.219.188.15... ok.
    Final results obtained from whois.apnic.net.
    Results:
    % [whois.apnic.net node-2]
    % How to use this server http://www.apnic.net/db/
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 211.26.0.0 - 211.26.255.255
    netname: INTERNETPRIMUS
    descr: Primus Telecommunications
    descr: Internet Services Network
    country: AU
    admin-c: jp21-ap
    tech-c: rc35-ap
    mnt-by: APNIC-HM
    mnt-lower: MAINT-PRIMUS-AU
    changed: hostmaster@apnic.net 20010910
    changed: hm-changed@apnic.net 20020820
    status: ALLOCATED PORTABLE
    source: APNIC

    person: Jeff Pace
    address: Level 2
    address: 19 Pitt Street
    address: Sydney NSW 2000
    country: AU
    phone: +61-2-9619-8420
    fax-no: +61-2-9619-8444
    e-mail: jpace@primustel.com.au
    nic-hdl: JP21-AP
    mnt-by: MAINT-PRIMUS-AU
    changed: hostmaster@apnic.net 19981113
    source: APNIC

    person: Richard Coombe
    address: Level 2
    address: 19 Pitt Street
    address: Sydney NSW 2000
    country: AU
    phone: +61-2-9619-8427
    fax-no: +61-2-9619-8444
    e-mail: rcoombe@primustel.com.au
    nic-hdl: RC35-AP
    mnt-by: MAINT-PRIMUS-AU
    changed: hostmaster@apnic.net 19981113
    source: APNIC

    Results brought to you by the GeekTools WHOIS Proxy
    Server results may be copyrighted and are used with permission.
    Your host (205.219.188.15) has visited 17 times today.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724
    In my experience of blocking and stopping fragmented attacks, I find that their PPS(Packets Per Second) can be very low, while still causing interfaces to drop. The reason being is their payload, or content is very large. Thus causing the buffers to overflow while trying to peice the "message" back together.

    I find that alot of our Foundry Net Irons are very vulnerable to these kinds of attacks, but things are in the makings, and we currnetly have an auto cap system enabled that caps when PPS go to high. Unfortunatly fragemented attacks are not seen because the pps is usually low.

    Just my 2 cents.
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    did a dig on the ip, here's the accout its assigned too:

    Query for 25.83.26.211.in-addr.arpa type=255 class=1
    25.83.26.211.in-addr.arpa PTR (Pointer) 025.a.001.mka.iprimus.net.au
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by phishphreek80
    Looks like a DoS attack.

    Teardrop: This attack uses fragmented UDP packets. The first fragment is fine, but the second packet overwrites part of the first fragmented packet. This results in a memory error and the system crashes.

    Teardop definition: Taken from here.

    To stop attacks... if you are on dial up... simply sign off and then back on. You will be assigned a new IP and they will have to track you down again... Or the poor person who gets your IP next will be the victim.

    Since your firewall is blocking it... I wouldn't worry too much.

    BTW: Here is some info regarding that IP you provided. You may want to report it to this ISP. If you include your logs it helps them more. Of course, only include the logs that are of importance to them...

    GeekTools Whois Proxy v5.0a7 Ready.
    Checking access for 205.219.188.15... ok.
    Final results obtained from whois.apnic.net.
    Results:
    % [whois.apnic.net node-2]
    % How to use this server http://www.apnic.net/db/
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 211.26.0.0 - 211.26.255.255
    netname: INTERNETPRIMUS
    descr: Primus Telecommunications
    descr: Internet Services Network
    country: AU
    admin-c: jp21-ap
    tech-c: rc35-ap
    mnt-by: APNIC-HM
    mnt-lower: MAINT-PRIMUS-AU
    changed: hostmaster@apnic.net 20010910
    changed: hm-changed@apnic.net 20020820
    status: ALLOCATED PORTABLE
    source: APNIC

    person: Jeff Pace
    address: Level 2
    address: 19 Pitt Street
    address: Sydney NSW 2000
    country: AU
    phone: +61-2-9619-8420
    fax-no: +61-2-9619-8444
    e-mail: jpace@primustel.com.au
    nic-hdl: JP21-AP
    mnt-by: MAINT-PRIMUS-AU
    changed: hostmaster@apnic.net 19981113
    source: APNIC

    person: Richard Coombe
    address: Level 2
    address: 19 Pitt Street
    address: Sydney NSW 2000
    country: AU
    phone: +61-2-9619-8427
    fax-no: +61-2-9619-8444
    e-mail: rcoombe@primustel.com.au
    nic-hdl: RC35-AP
    mnt-by: MAINT-PRIMUS-AU
    changed: hostmaster@apnic.net 19981113
    source: APNIC

    Results brought to you by the GeekTools WHOIS Proxy
    Server results may be copyrighted and are used with permission.
    Your host (205.219.188.15) has visited 17 times today.
    I'm sorry i am new to Network security...i do not know what's happening in the list u gave...how did u got this 205.219.188.15...
    BlAcKiE
    GearBlitz

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    A fragmented attacks uses lots of small packet, often used to evade IDS. Networks have a MTU (maximum transfer unit) which is the largest size they will allow for an packet. If a packet is too big it will be broken into small pieces and then reassembled at the destination.

    So the general plan is that you send your attack to the target, the target has a firewall or IDS in place to prevent attacks,so by breaking the attack up into lots of small packets the signature will hopefully not be picked up and the attack will get through, for example if your attack signature was ABCDEFGHIJK, the IDS is looking for attack ABCDEFGHIJK, so you send the packets ABC, DEF, GHI, JK, which individually will not be picked up by the IDS, they are then reassembled at the target and the attack launched.

    Any decent book on networking will be able to tell you more about MTU's and fragmentation.
    Quis custodiet ipsos custodes

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    What was the time period between these events? Are these isolated or are they part of a large number of events? Are you seeing any ICMP or scan activity after these events from any IP?

    If they are a minute or so apart, isolated and with scans or ICMP events subsequent then this looks a lot like some little kiddie "playing" with tools. He's probably been out and d/led a couple and has picked an IP or a block at random and you were IT.

    If this is the case I wouldn't worry too much. Furthermore if your firewall is set to drop all unrequested incoming packets these attacks can't work since the purpose is to overflow the buffers when the fragments are being reassembled. That should take place after the firewall - well any real firewall - hence if they never get past the firewall they can never do any harm. As Dr. Toker pointed out these kind of attacks usually don't have a high rate of packet transmission because a) they don't need it, and b) it may cause the attack to be detected by systems designed to stop or report it so you are unlikely to suffer a denial of service due to bandwidth being reduced.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Newtear appears to be a very old attack, a quick google search turned up some interesting stuff:

    http://www.yale.edu/its/security/arc.../msg00008.html
    http://www.wwdsi.com/demo/saint_tutorials/newtear.html <-- many helpful links
    http://www.cert.org/advisories/CA-1997-28.html
    http://support.microsoft.com/default...;en-us;q179129
    http://www.attrition.org/security/de...wtear.dos.html


    I would consider this vulnerability to be ancient and as long as you have your computer patched or are running something else other than win95/winnt, I wouldn't be overly concerned with it.


    Fragment attack is very very vague, there have been many different things that use fragmentation, some use fragmentation to try to avoid detection by things like IDS boxes (too many fragments might not be completely reassembled by IDS and henced missed), some use fragmentation as the actual attack (ie, impossible to reassemble packets, too many small packets flooding device). I would suspect since it saw a tear the previous warning was associated with it; however, both of those attacks are pretty ancient.

    Hope the links helped,

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Nebulus: Yeah.... I'm with you on the <Yawn> age of these attacks and hence my thought that it is someone "playing" with them..... Most probably a noob who doesn't know that these are possible older than him/her.....<S>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    203.x.x.x Southeast Asia block
    For example : 203.162..x.x is Viet Nam , 203.170.x.x is Thailand . Reference : www.iana.com
    Let\'s go to Paramount Great America !!!! LFC (LookingForChick)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •