[14801] in bugtraq
Re: Denial of service attack against tcpdump
daemon@ATHENA.MIT.EDU (Dragos Ruiu)
Sat May 6 15:31:56 2000
Content-Type: text/plain
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <0005031349321B.00340@kyxbot.zorg>
Date: Wed, 3 May 2000 13:28:25 -0700
Reply-To: Dragos Ruiu <dr@DURSEC.COM>
From: Dragos Ruiu <dr@DURSEC.COM>
X-To: bretonh@PARANOIA.PGCI.CA, bretonh@PARANOIA.PGCI.CA,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SOL.4.10.10005021942380.2077-100000@paranoia.pgci.ca>
On Tue, 02 May 2000, bretonh@PARANOIA.PGCI.CA wrote:
> There is a way to disable tcpdump running on a remote host. By sending a
> carefully crafted UDP packet on the network which tcpdump monitors, it is
> possible, under certain circonstances, to make tcpdump fall into an infinite
> loop.
>
> tcpdump interprets UDP packet from or to port 53 as DNS traffic.
> Consequently, tcpdump attempts to retreive information (such as domain names
> in this case) in DNS queries and replies and display it. However, domain
> names in DNS packets use a compression scheme to avoid multiple occurences
> of a domain name in the same packet. This scheme uses jumps to a particular
> offset in the packet.
>
> If this jump offset is set to its own location and if a program trying to
> decompress the domain name does not have any type of counter or strategy to
> avoid infinite loops, then the program will jump to the same offset in the
> packet over and over again.
>
This all points to another reason to always run tcpdump with "tcpdump -n" err...
quiet mode as you called it.
Another serious drawback to allowing tcpdump (or any sniffer as a matter of
fact) to look up DNS addresses is that it allows evil haxors to immediately
identify the security machines/probes on the network by either passive
monitoring and detection of the lookups or by penetrating the name daemons
(or the DNS server that hosts it) and looking at the logs. DNS logs can be
fascinating sources of info.... This information will immediately highlight
what should be the evil haxor's next most important target. :-)
There are some sniff type programs (ntop and iptraf from memory) that
implement a separate thread/proc to do the DNS lookups and cache some of
the results. This can be a way to mitigate the security machine DNS
"beaconing" to a degree, but they are still vulnerable to the following sniffer
detection algorithm:
1. Inject packet to strangedest.net
2. Look for any machine doing a DNS lookup to strangedest.net
This is particulalry useful if you already control strangedest.net.
The moral of the story is that where tcpdump is concerned "-n" is
a very nice option.
cheers,
--dr
--
dursec.com / kyx.net - we're from the future http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - May 10-12 Vancouver
Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld,
Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD
Lance Spitzner/Sun, Fyodor Yarochkin/KALUG, Max Vision/whitehats.com
