Greetings and Salutations: On 4/8/04 1:26 PM, "Darren Reed" <avalon@caligula.anu.edu.au> wrote: > In some mail from Ventsislav Genchev, sie said: >> >> I've tested the attack on 4 machines.. >> The first two were running windows 98 SE with all patches and service >> packs... the CPU stuck the 100% as soon as the attack started.. >> > Is there any real point in testing Windows 9*, still ? > Does anyone care, including Microsoft, enough to want it fixed rather > than get people to upgrade to something that is better when it comes > to security, overall ? >From my experience in the real world, specifically with Windows 98 (and I suspect ME) I would say that yes we should care. You would probably be frightened at the number of people still running Windows 9* and ME. With a OS like Linux most people are *PROBABLY* on a newest version, but I bet you have companies who had a consultant parachute in, set up the Linux box and then leave. Nobody touches the box because they are afraid to. Also: Snort (IDS) does not detect this as an attack. Please note that any Snort rule should allow for two "small" fragments making a "large" buffer. The attack I published can easily be modified with different size packets and the end fragment put in different areas of the fragment (at the end, near the end, etc.). If anybody is able to "attack" any other machines please tell me the results, I am curious. I have come up with the following: MoDem speeds: 1) Microsoft 2000 - 200 packets in less than 2 minutes completely shuts off legitimate fragmented packets 2) PIX - 200 packets in less than 5 to 20 seconds completely shuts off fragmentation LAN speeds: 1) LINUX running on a 450 MHz (I know, very slow but it is all I had) high CPU utilization, some missed packets at ?400 Kbits / sec? (I have to run this test again) 2) Macintosh G4 dual proc - some missed pings starting at about 110 Kbits / sec (no / very little CPU utilization increase) Mike from the FreeBSD mailing list has told me that there may or may not be very much code sharing between the Mac OSX and FreeBSD, so the above tests may not apply to FreeBSD. 3) Cisco 2621XM router - 20% to 30% utilization at 600KBits / second There is an article discussing the fragment attack from IDefense that claims that a Cisco 675 router had to be rebooted !?!??? The article: http://www.eweek.com/print_article/0,1761,a=123491,00.asp Ken --------------------------------------------------------------- Do not meddle in the affairs of wizards for they are subtle and quick to anger. Ken Hollis - Gandalf The White - gandalf@digital.net - O- TINLC WWW Page - http://digital.net/~gandalf/ Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html Trolls crossposts - http://digital.net/~gandalf/trollfaq.html
