[2593] in bugtraq
Re: Denial of Service Attacks INFO
daemon@ATHENA.MIT.EDU (Fred Cohen)
Thu May 23 16:49:44 1996
Date: Thu, 23 May 1996 16:13:26 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Fred Cohen <fc@all.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <31A47C4E.590A@ott.opcom.ca> from "Matthew Harding" at May 23,
96 10:55:10 am
> Matthew (matt@ott.opcom.ca) wrote:
...
> On a similar note, a more practical example is this
> condition will occur if any NFS request (mount, getattr, etc.
> etc.) has the source IP field set to 127.0.0.1. This can
> happen in certain circumstances - I believe there is a patch
> for HP/UX 9.x under certain platforms that prevents this
> specific condition from occurring. (Any HP that mounts a
> SunOS 4.1.x server could cause it to crash merely by mounting
> it!).
>
> If anyone is feeling frisky, start playing with a SunOS box
> and try injecting spurious IP packets onto the wire... since
> SunOS doesn't have the nifty DLPI interface that Solaris has,
> it is probably susceptible to many, many similar attacks
> using the standard IP stack.
Indeed, ipsend tests crash many boxes at this time, and that's just
using standard off-the shelf tests.
The way to stop many of these classes of attacks from over the Internet
is to follow the recommendations in "Eliminating IP Address Forgery"
(available at http://all.net/ under the Info-Sec Super Journal in
"Network Security") - however, these techniques will not stop them all.
For example:
UDP
>From: victim-1
To: victim-2
>From port: 7
To port: 11
When each is a legitimate address will cause such a loop. Since each is
a legitimate address and each is on a different service port, even some
fairly sophistocated router-based defenses fail. Good advice is to turn
off all UDP services that don't have strict format requirements.
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 330-686-0090 - PO Box 1480, Hudson, OH 44236
