Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Security Alert: Multiple OS IP Fragmentation Memory Exhaustion Vulnerability



 By: eWEEK
2004-04-02
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
iDefense Alert: Remote exploitation of a new IP fragmentation attack can result in a system running out of memory, allowing a denial of service attack.

Editors Note: A security alert is presented daily to eWEEK.com readers by iDefense Inc., a security research company based in Reston, Va.

Severity: High

Analysis: (iDEFENSE US) Remote exploitation of a new IP fragmentation attack present in multiple operating systems (such as Microsoft Corp.s Windows, Linux and Cisco Systems, Inc.s Cisco IOS) can result in a system running out of memory, allowing a denial of service (DoS).

Many types of fragmented network packets created (e.g., TCP-IP, UDP, ICMP, etc.) will work when sent to a remote host. For each attack, two packets are sent; the initial packet having data that indicates an offset of 0, and a second packet having an offset of 64800. This causes the target system to allocate a portion of memory for the remaining packets that will complete the original un-fragmented packet. For each attack, the target system will allocate 64 kilobytes of memory, which is held in reserve (typically for between 15 and 255 seconds).

If attackers can send a sufficient number of packets, they can cause memory (on the order of gigabytes) to be allocated. Since this attack utilizes a single packets fragments and no actual TCP-IP connection is required, it can be spoofed. For example, attackers can exploit this vulnerability via a SYN connection packet or UDP packet, which is stateless.

Sites that suspect they are under attack due to abnormally high CPU and memory usage should run packet sniffers configured to look for fragmented packets. Observing a large number of fragmented packets with no corresponding connections is an indication of an attack. Depending on the target systems configuration, attackers with access to several hundred kilobits of bandwidth can consume several hundred megabytes, possibly gigabytes, of memory.

Detection: Most operating systems capable of handling fragmented packets are vulnerable, depending on the specific design and configuration of timeouts used. Windows 2000, XP and 2003 are reportedly vulnerable. Almost all forms of Unix, Linux, BSD and Mac OS X are reportedly vulnerable. Cisco IOS and other network device operating systems are reportedly vulnerable.

Packet sniffers, such as TCPDUMP, can be used to detect exploitation if large amounts of fragmented packets are present on a network:
Resource Library:

tcpdump -nn -v ip[6]&32!=0

Recovery: Power cycling the router is required to resume normal operation.

Workaround: Disable the web-based administrative interface on the Cisco 675 router.

Vendor Fix: iDEFENSE is unaware of any vendor updates. These are likely to take some time in any event as they require modification to packet handling structures and algorithms used to process them.

iDefense provides security intelligence to governments and Fortune 1000 organizations, and provides this daily threat alert to eWEEK.com

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  



  Reader Comments: Security Alert: Multiple OS IP Fragmentation Memory Exhaustion Vulnerability
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By eWEEK
 



x}r㶲s\@♵M=RJd[klҌפN!1Er=JN~b:?qtMZe2{fʶD 74{$ G7L{B.cnQ?sOG7郿O$w}L9UQ#C3W)92 E]0eNznDzpDwd>J`OS{S )5'Ӡ5ޙ Q}_6g2z9o0 fE63F6I=E9JDq?֥qɏL|2#ַ8>v@ߨV:AÙML}!*{|HJ%h!1Qusad^x/4;U;a/rFwSѡ*v25v+n /@Z#\DȁRh=3d9';{ -XdUZL bC2R!1;r,ǃ)KTQ3c}fZ3u-3ǀؾQ̀A3#v?ƭ QI&q#/6<{ex6ܳL]b#6fJoCO|l ݟR~$OLEsؗCY֍A,sti #M-jZUQ bkG╇i΃oq#gݨ޾}KB)(U:Gq7Z}nm)9x] Z sruO}qN6nyvtx//0wFD_*QI- Y|/LZ@GS::Y'N{_"xZjkMюR=%Y̮g fVҘ 'UUjH,ǝq%?ZWM&M}X&ZhCA+t19zq{ں}\=rڽ!Iə{Ά0pgs Z_Zr<-z?Yz>5409;RZIjg$Zݓ6 I|[8VEu޿ =M%%wܿ?#,_ fk7 J i":svf5Pko43@_x0Nu{ns'@̀kfPXT@AN)61tkM`3R˼$%/^P%P샖_΢[2jFTwIQa#aẍ_,ʹcc^IRe6\}yp|vwܬu"*մ޹-~4ҢKsIiH{v#ZG>O=3jY}vi|Q}Ѧ>87}45 @ Lna V83tCuӹݰ=Uԇ9[i50CGA 6]LR}b;>t9 PhS0<xwLMσ-JCˋƠ` VPC9N@FܧP}MrA}6g`sDoiC1QB?Ԇ!~9.b&A/tKt=JIA }At"BђF 4  gscX"C"' [AXk ab .u@G҅3qjTD;7քbZ z)0 eVRihn1!UG,D`v9r,L.Y ϴ6JԭybQ9ҴZ hқ͑ Kܺye&,@PCb;*O<sy?4ğN'=ǺdmA 9g߃)兏u5dMjE3ӆMI|Ehs 2!jyZ&5LUXMC4fX7*p=&.0|jj iS w$m˴)s7BgsݐC/2$\^&AB1 6d:l';oW fnR>MO9XScXO`Da Lzb0ufm/n$1`V|\uLg˦zkfXؽ/ 7R@]֥PK 2LZԵ1 E$$BY`}.eGQHīd - jInPx{8`O1k=0\Pe_M }d2waՒhXj|[Y`B^eܠQ3$XsQ[ ҆|x ku8.`CϱKs=: S=`6*'|>Jeǝ:~ҧ ;BSjb3}Ä끄 _%tp:P[%n//+ i{u]ؕRB|zn P[aHz{>8`Tfla86-b<ݝvmļZB_@iTԗKJAUc/`kLĽf2,rƎe9وAF CQ>-D.M{ \jpj Zqqf~~~0,Ly.J?}uVN0\?@&R)Ö13ghimFǙL,*IH՗bAQ xHkMf٧7_gh0ցq_HEy[pp BU.(L,:j1-[ Hg [Qzo3C zA$zcK& GGsݧ==1g *5@~2T+BZ= QQT*߬Ps1)'@S$f|`g<ڗ_ޝ?4Mc'6 `3Txk}`x䃋2,*`Ȳ|˘/ մv2<~*3֔R)hRBVAE Qp`գ)u7qfv9A#]3@$2]t@ HQj8ΓeO#c#lʂt!WMUm~,`wY0>AG5"耰!(3E6(9;@+5-| I1H%[SsGŵRC]5}-dq]U*jAe߯yUb^ LjB:GdH>#`Zv*6w Ԫ6 h)6YS!bW hĞeeK7edjC鳰'w&Z y.Am@/r/|&q3旁Q_䑫VJ% `$fqNgGA:T{56 s0X3f~ruWk*dy{ zНt;nʭܱ -&oc d.ōfπïǖ2mԚVNL&Vi Z;k}zGdCR =OR-%wJI) `zVEZ)~ HǞ1}]>ṱ7O7oUUASG;:9&ߐ@ZhO ] 8sP$X2'MU"[ qy lSbR/փ `AQ "U!7T>O7(~ (zC>m {~L>\TS(.>mP*jIIz,pUU1n?mVVW`j-^2yanD9[ 4wʨKV͖O%4e3/ -9@X<y}baHwrKz]wѼڀ8ZfDs, .i,: -e4g*ݐGwUkNJZZ$t` ۳<0%{q*LEM+t׀m+J9ww|L4 #uL)yHP?lZ.+BvQ *s>P|o =$Є_؆ +~W?l)ɡ$ |BJ D;}ZPf7&3 991t/xya`zY*o@/I6S.:;l4Bޏ.}N~H ۧ>^e!1@q3nnt ;g( ^-Xi\#-HV_tD`%u.gm~61%|˾NIM $(XNpCO"juΤm}#8.odhq^ 8͛ΕI{ÏU[J:^w9"!5/:gW, Y# B\7 ǧͦ vpR`QqH;z0M6 :M}Éb9kI*D|=d_5gHܠ ʣa4l5/ٿ+[Ě_f߅B!|JgG<؇AP#{ z P)'$N):c/;$BL0BD_XJI!)W$f'e*K倏wqJh 鳁VKM^c'`|xr'|'xj}yUy^=t#jVuwfܣcDi:n{GQ =dznO8Z𿲜\ta_}`|;sF'5\{ v,QM xql}HK,a43q=vbϓ{~\[ ("Ξ[e氎cnW gt!&V\uyoߐէ9arJs ނ3QG 6j 2'|\+U뀞< h`#[#60N Ģ762cŸց!{ Rb'MNi zc{ƹ39#@*yx\[w5&P)<A~A< v4){7yΛz}hn;d⫆ܖ~@F' zYOXW+O*?'qVԱQ*_2$;lߖŗc3Ocp௥* 21  \@Ӟ Ma_Ͻz2.mE>zQc%F}?^Sϗt8/`8?6#,ӜiՂV)]&?ݍ+dXZ75tA,I %z0KeSq_ GŲ=G<%]ƂGǠox!i䃋xrRqn|8d(΀۾,SGM X?N:l(}Irs'|G~'0n!>.f`ڥBld5=%exTu:=S^>8Vc"Ql/ sގ";ˌ2M-'>N+bb [>b;}b%,xRD^dId+m$.e%!8-y}FjA-/iC7>/&<"!YID)ݜs??Xhl7s<6z|L 1aԗuz"λ$ΣX(M4ɁVhRbrb/?/:]gGs[@vbdY 'BbR 'A<ݮKeEK$6R@TtOXf#TLj,U !l=xM-%46Lri%tA)HgKMו,Qu,Աǎt<k#l/ZJlA\} o 4O9sQ|17Oc?`r2<"OjJ&"őxi<쯋oA"&f0RKXR t}xZ6uUl^ 30B"sJ a1_?3!R3^މmKKxW: $XPݧ`;#O=X"1kPp#A- [HuQ+Dճx.Zݖ`/OQH/5 o[Idq* 'V(k, @с8_Y>+%> 'z+oKoWRܳjaM=q'ϣXNIQ>6ഖ}d|mj75Y_,n(OJ=Cf&RwF2`{VSkJ1kA%-71v@IYHV;㠱+)*O5.lxƋ!ؒmNF;whDw8 xIGt㵈)L4?iKdy +3f bq<%< M::::bI+:{?!ZOt >mbi䐂:sX=+4`-iIII#Iari pga $o֤w05&T2a0BZ@mI/e(νb(BS@as| WfME,"C/%+'%U^ܿp!ܺ[k̅D1zif؛ޒoauDM%[{%AM|QB=/u'q^z`&W tt/&2S:mEUV7Mq!7':u;e.X"$jO#/^e%7#]4&s3"ƅHǎ~zZH$Djy0P$9|1|m$LHy]ؒB^̱nN;WksE}{B7axnIf2)ƙMq7<H 0x$Qd<+'%eU^\mzp=d4)&@CY'!'>nl_wgk~m~m~m~m~ZM+վnfzͫh3y;c-pcw>Ɠ.G,XDcCHBBaC`_Xn?hێmw$O׺H|SFs I)^g~8.H[O⡻fRF84 !yrh"YfuS0x[LsOAڞٌ0ŔLoV)XTdȢR뺠(fa|xjǓGl7Ɩ4/#Z.`@5s%]SDžqv"1f@bǛ$!*"EH_.!v{c7{´矙R8?˟̅=pns&˲# ,Y}nF Qp~}2\GpR@p#œBmŖd@'x!L:P7r@),t"`}'D?vaSsfM)az8hrPalcJ=%\Dz .L10/'vEA,4vtc6z-AAm!xZ7Nb`9gP)}JxmMܳKbL]U^~#ue5:nY^_WP4'$ J{[dp3/2^`*D\Ml߼S?!٩LfERso Zߦm_mY(aV_~tׅ dUoko9t%۬RR2ײ#1}.eLzl^Bif#e։ IV(Hߤj3ƚe< -~m%@=> db>8\AO=cЃ%:?w}55hνco(j#:lo^"Ҷ͎=[,"_U UKɀ{E7=0͠6Y}gj w O/P4i>U`C5>[ w)|{*087~ @(To\kE_A-m̴hgϡ6 ?5fTn8CnĽr41V1"}?qT&ݥe y2fSxi vf4}Su&.[{평{T= ? KL)`G%]oC~0gxV pOA&r副i" ǫb@M(utBxwWR;hē~ODp2 k)G>?F}K:^ۏo+B7oܮqHjXmnR] (яTeQO*'⋨s.JN(aZ&א4>(CZPBZ]’M=Is1ꚚrMn @`!~%RDZC@ O^a)qc) kpx΃L,tx{n$?؎7ӭY&6ǜMEfAiT9Us\:$VG ]J1xy[?L̀+5&L'9RE(*Io$TG 1R(M07ӏ|^.>>)fF<zVCGJk&pVy k+Lx}[8OH_q=o73QXsS5u87Z}yr:|h 7pK $:u'⦪v1[+`65~`OR.g@%[7\Z 0!6)lW-TH+(%\z`˛fF+iAwcL 4xcgo{I c Ort&7\9P[S8g_ 6a^zGZq!G)L}o LðhLRO= N9ǃ"Ba=X@:>IoH$]U# `xiMF4zhv.Uw7= dN,9k7Cߑ7R%βb `D}ecL'L$EuE) 2Egn0Osˮ C^!&W醾!sSy-r)G`Q}檧Ԕ1";W'0枩U1,a2)kM(qik8<4>|?ziJ0% aArL #qbx^J&"=L#&|Mqx(҂R{D@۹flUo%P`qT|8snj=J<|>5 DjaT_.JUE d37  c!gz v7UIu~;0Fh0us<F"Ox})l@͇33f;. l9 :W@Lg>򽉡:ς؍)s)aR;<;Q@<Pl 4'6&WHLo12{xbRU+J)|UweX &zDKwy |7kfY3{8~_ROr%-ruV0`A='i92fg4t\K=T$ڟ`%i4MMz{'7~{E[<m[8j?N9>t?v7~qjz10kym21^ ΓQ9j^283E B*r4,xE^/>M`n/^< NL*a^e=DM@*:ecr jݴ{=--YWG>;tɉcdHw>n)^ZZ+!pXmns!>E/'}ҽjIJ/6//2C_(\~JmfwQ\'P~s3YF>@\㼳5:r_'\eC;52?A">he\/3 /~/3{ %2c@y yAȣW3ϡ<PK((ʘ+ ʘ..ȟn|fȗk 3޿ɠ11>_?m.!>BǬrnj}}-ff--m%u$e!(ofYNoT8\8^JeYWa uuQ^ yVV<^`fkx.rf e{);[?[tOBX\jzr+^gim4v+iAư۸/6^c/K^浽I=$xEq\+gل@CX{#uO'NW4CﹺKd^ WsU}ӉzZ>Ś/JYy<* t!=}}¨Az "\ ½p'oeybnAR̤F4YQ =W]6ppSn$o; 5OK}.omG;yh#62f;w K췡\2gA7gn"B8Cw_aɠ1zI?'O!4 D =C>jpO_i{A|7q X1Y&IΝrQӊj~JR}' aFdQL`FTMVYI0ZYr(RB4|O۴W)Y7tCsc<{+4аY-}"z%~@NL6"/cA6of)3^FսD<'M~ m

oٔ^^CzN*˗ X627O(vY['lybb)m+cm"9<%23wHP,cV}]."0 ;VWӄ.ӡ/'"dxU,0GX1iYʳ]N=Xv7n:+njb5Q spa3 Ӯ2 /§On3 &`T8],>/zЃ4r-V$ǖ1x_05:%xlӍ(1L;-ioB+_w![@՞jv\8Ï nzusڹ Yn[ݨ3׸K5 X 9c*K'[jb?Nv3 O"Mx^;4mF<#FOb\װnBaIgL a~*9D$&πxŶ/G㿄$E;0|+ 94Ǟ”0ـO ؠ+.Ġ/>''4WB)3Vk*q8w42T`';Mhp+`AtN[a>$N*۹f$ӧuGsMz5>~MoM"~wg%v f\gHa)x<AR~hqzF߭Uh#IM &Ah&5b8gK“J'Ңr\鱻$Vr.Q =nιfoUR۞,`'/2^;' g\zH|k,XoϨD % %^Πb_wsԷeEQ&PLŽ=G)JqK+yHR͠#9"Ź oPmJwGw/F:} S sT)*N9D/ˠvS_EɿعKӘ1L1А8v2COA#t ӏe[a O2C24@ خ;Oq^' 3>Ƌrx{Go:t1$(+nOvGD g>6'كl4=pM@!(Fْ[0-?Fq:h/Asl2q=W43@FWD0;"ZY}"sE%X,8/ uf㿴ƝMQKW-9-Bux [=] D peӵy2 WcVa]R>E+ ]'[ۧ3й?-{/e;],{QFbfB#q-E6<]܈x~ݺÀg OTx.X?l׉Q#hӴKQaW:7n MywT \7o﹨+]ycQ1W)?Il}X~o6,lp/>cwϏq`2[uo~[[8K cd.GXI@ qk,Ma4,Lb5"[]QI(`vX33},@a)5\BO SoO80Ux|-h\}{}v,s0#ŸEr g4GjV0U9w, j7Wxozc|>[zD,5bb:({=zk|XKc.&Ա`=br8Lte4Q3|JKm)g3 τ ixv4<5@TF_E@G7dyUĄfٵ\RJnrmmkJ>dS1C'@j0\|_H d9[\O^مt&3k9/YH~>  \99.@$NSP_Xџ],?I*g\%ƕySq|h\7,{՗NO<|Xyx(~']f(FRqO\|t/71X7/=n?~jIaE yiAђu7vH]7[Y"^ֳL~c Whc<3xL M4V*wNVtƢI26pzRSV01{6JܖmJPUN9KIk^iLNƇZڱ wm<lx61j+