-
February 4th, 2003, 03:14 PM
#1
Fragment storm attack
Guys,
I'm loojing for information about Fragment Storm Attacks:
- A malicious Hackers generates a storm of fragmented packet to the victim. As a result the victim will consume most of its CPU to reassemble fragmented packets and may be DoSed . Thjis attack should work even with a low number of fragmented packets (no needs of DDOS).
To protect my network I'd like to filter packets comming through my CISCO router by droping any fragmented packet. (This router is not directly connected on the internet & the network is designed to avoid any fragmented leagcy streams).
If you have any idea to achieve this goal or any archive from the litterature I'll be thankfull,
cheers AOs.
[shadow] SHARING KNOWLEDGE[/shadow]
-
February 4th, 2003, 03:24 PM
#2
Thanx TAMPABAY,
actually while googling the subject I came acroos that RFC & keep it preciously.
But I'll be happy if some of you AOs have some CISCO configuration experience on the subject and could give some feedback
[shadow] SHARING KNOWLEDGE[/shadow]
-
February 4th, 2003, 03:28 PM
#3
Write the below noted acl into your router, and that will take care of it.
access-list 100 deny ip any any fragments
access-list 100 permit ip any any
-
February 4th, 2003, 04:24 PM
#4
I have a production PIX box that I wish we could use those ACLs on.
As you fellas know, fragmentation has to happen when bouncing across multiple routers and switches. Unfortunately, in a production scenario, fragmentation attacks can happen to Cisco hardware (or any other manufacturer). I also found out that a PIX box cannot handle more than 140 thousand simultanious connections (We can hit as muany as 170K). The box just locks (runs out of RAM) which I have to say is much better than having it overwrite memory space then crash to a wide open firewall.
Anyway, my two cents :-)
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
February 4th, 2003, 04:27 PM
#5
Information update
Well guys I've been a bit more deeply into that subject and I found the following information:
Don I am sorry to say that your ACL programming will not prevent the attack from a clever malicious attacker using nmap for the following reasons:
from http://www.cisco.com/warp/public/105/acl_wp.pdf
Deny ACL line with L3 information only, and the fragments keyword is present
If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment
offset is checked.
1.
If a packet's FO > 0, the packet is denied.
2.
If a packet's FO = 0, the next ACL line is processed.
from ftp://ftp.rfc-editor.org/in-notes/pd...fc3128.txt.pdf
The indirect method relies on the observation that when a TCP
packet is fragmented so as to force "interesting" header fields
out of the zero-offset fragment, there must exist a fragment with
FO equal to 1.
This is normally true where the fragments are genuine fragments,
generally by bona fide software, but it is simply not true that a
hacker forging fragments is forced to produce an FO=1 fragment simply
because (s)he has produced an 8-byte FO=0 fragment . The
vulnerability flows from this false premise.
[shadow] SHARING KNOWLEDGE[/shadow]
-
February 4th, 2003, 04:37 PM
#6
Unfortunately many IDS systems can be fooled in the same mannor. I currently have a few open bugs with Cisco which deals with algorythum circumvention.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|