Observing a large number of fragmented packets with no corresponding connections is an indication of an attack. Sites that suspect they are under attack due to abnormally high CPU and memory usage should run packet sniffers configured to look for fragmented packets. For example, attackers can exploit this vulnerability via a SYN connection packet or UDP packet, which is stateless. Since this attack utilizes a single packets fragments and no actual TCP-IP connection is required, it can be spoofed. If attackers can send a sufficient number of packets, they can cause memory (on the order of gigabytes) to be allocated.
For each attack, the target system will allocate 64 kilobytes of memory, which is held in reserve (typically for between 15 and 255 seconds). This causes the target system to allocate a portion of memory for the remaining packets that will complete the original un-fragmented packet. For each attack, two packets are sent the initial packet having data that indicates an offset of 0, and a second packet having an offset of 64800. Many types of fragmented network packets created (e.g., TCP-IP, UDP, ICMP, etc.) will work when sent to a remote host. zimages/1/72206.gifĪnalysis: (iDEFENSE US) Remote exploitation of a new IP fragmentation attack present in multiple operating systems (such as Microsoft Corp.s Windows, Linux and Cisco Systems, Inc.s Cisco IOS) can result in a system running out of memory, allowing a denial of service (DoS).
Editors Note: A security alert is presented daily to readers by iDefense Inc., a security research company based in Reston, Va.
0 kommentar(er)
