Fragment storm attack
Results 1 to 6 of 6

Thread: Fragment storm attack

  1. #1
    Senior Member
    Join Date
    Nov 2002
    Posts
    382

    Post Fragment storm attack

    Guys,
    I'm loojing for information about Fragment Storm Attacks:
    - A malicious Hackers generates a storm of fragmented packet to the victim. As a result the victim will consume most of its CPU to reassemble fragmented packets and may be DoSed . Thjis attack should work even with a low number of fragmented packets (no needs of DDOS).

    To protect my network I'd like to filter packets comming through my CISCO router by droping any fragmented packet. (This router is not directly connected on the internet & the network is designed to avoid any fragmented leagcy streams).

    If you have any idea to achieve this goal or any archive from the litterature I'll be thankfull,

    cheers AOs.
    [shadow] SHARING KNOWLEDGE[/shadow]

  2. #2
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    Thanx TAMPABAY,
    actually while googling the subject I came acroos that RFC & keep it preciously.
    But I'll be happy if some of you AOs have some CISCO configuration experience on the subject and could give some feedback
    [shadow] SHARING KNOWLEDGE[/shadow]

  3. #3
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    Write the below noted acl into your router, and that will take care of it.
    access-list 100 deny ip any any fragments
    access-list 100 permit ip any any

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    I have a production PIX box that I wish we could use those ACLs on.

    As you fellas know, fragmentation has to happen when bouncing across multiple routers and switches. Unfortunately, in a production scenario, fragmentation attacks can happen to Cisco hardware (or any other manufacturer). I also found out that a PIX box cannot handle more than 140 thousand simultanious connections (We can hit as muany as 170K). The box just locks (runs out of RAM) which I have to say is much better than having it overwrite memory space then crash to a wide open firewall.

    Anyway, my two cents :-)
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member
    Join Date
    Nov 2002
    Posts
    382

    Information update

    Well guys I've been a bit more deeply into that subject and I found the following information:

    Don I am sorry to say that your ACL programming will not prevent the attack from a clever malicious attacker using nmap for the following reasons:

    from http://www.cisco.com/warp/public/105/acl_wp.pdf
    Deny ACL line with L3 information only, and the fragments keyword is present
    If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment
    offset is checked.
    1.
    If a packet's FO > 0, the packet is denied.
    2.
    If a packet's FO = 0, the next ACL line is processed.
    from ftp://ftp.rfc-editor.org/in-notes/pd...fc3128.txt.pdf
    The indirect method relies on the observation that when a TCP
    packet is fragmented so as to force "interesting" header fields
    out of the zero-offset fragment, there must exist a fragment with
    FO equal to 1.
    This is normally true where the fragments are genuine fragments,
    generally by bona fide software, but it is simply not true that a
    hacker forging fragments is forced to produce an FO=1 fragment simply
    because (s)he has produced an 8-byte FO=0 fragment
    . The
    vulnerability flows from this false premise.
    [shadow] SHARING KNOWLEDGE[/shadow]

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Unfortunately many IDS systems can be fooled in the same mannor. I currently have a few open bugs with Cisco which deals with algorythum circumvention.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •