[3552] in bugtraq
Re: Suspicion about denial of service attacks possible on IP.
daemon@ATHENA.MIT.EDU (Darren Reed)
Tue Oct 22 20:09:57 1996
Date: Wed, 23 Oct 1996 07:45:57 +1000
Reply-To: Darren Reed <avalon@coombs.anu.edu.au>
From: Darren Reed <avalon@coombs.anu.edu.au>
X-To: hpj@one.se
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.HPP.3.95.961021181919.1137F-100000@tide.one.se> from
"Henrik P Johnson" at Oct 21, 96 06:22:28 pm
In some mail from Henrik P Johnson, sie said:
>
> I was idly reading through Internetworking with TCP/IP yesterday when it hit me
> what might be a possible denial of service attack on IP stacks. What would
> happen if a host was bombarded with faked fragments of large IP packages. Would
> the stack allocate more and more memory trying to reconstruct the packages or
> do they operate with a fixed/max size limit on memory allocated for IP
> defragmentation?
It is possible, but it requires a lot of packets.
Different boxes handle it differently too.
When I tried it against my SunOS4 box, it didn't crash, but X-Windows could
not be used after it ran out of mbufs.
There's a bug in how overlapping mbufs are freed in BSD code upto
4.4BSD-Lite/2 (I believe) - that or it never got merged with FreeBSD 2.1.5.
(Patch for this is included with IP Filter ;) For FreeBSD, it seems that
the result is that it never frees the mbuf...
Darren
