Firewall
306
8.5
Denial of Service
BAT54-Rail/F..
Release
7.54
06/08
In the IP header there is a field "fragment offset" that indicates in which place
the received fragment is to be assembled into the resulting IP packet. This
field is 13 bits long and gives the offset in 8 byte steps, and can form an offset
from 0 to 65528. With a MTU on the Ethernet of 1500 bytes, an IP packet can
be made up to 65528 + 1500 - 20 = 67008 bytes. This can lead to an overrun
of internal counters or to buffer overruns, and thus it can provoke the possi-
bility to the aggressor of implementing own code on the victim workstation.
In this case, the Firewall offers two possibilities:
Either, the Firewall reassembles the entire incoming packet and examines its
integrity, or solely the fragment which goes beyond the maximum packet size
is rejected. In the first case, the Firewall itself can become the victim when its
implementation was incorrect. In the second case "half" reassembled pack-
ets accumulate at the victim, which are only rejected after a certain time,
whereby a new Denial of Service attack can result thereby if the memory of
the victim is exhausted.
U Teardrop
The Teardrop attack works with overlapping fragments. After the first frag-
ment another one is sent, which overlaps completely within the first one, i.e.
the end of the second fragment is located before the end of the first. If - due
to the indolence of the IP stack programmer - it is simply counted "new end"
- "old end" when determining the number of bytes to copy for the reassembly,
then a negative value results, resp. a very large positive value, by which dur-
ing the copy operation parts of the memory of the victim are overwritten and
thereupon the workstation crashes.
The Firewall has again two possibilities:
Either the Firewall reassembles and rejects if necessary the entire packet, or
it holds only minimum offset and maximum end of the packet and rejects all
fragments, whose offset or end fall into this range. In the first case the imple-
mentation within the Firewall must be correct, so that the Firewall does not
become the victim itself. In the other case "half" reassembled packets accu-
mulate again at the victim.
To Next Page
Loading...
Need help?
General
