Greetings and Salutations: While this discussion pertains to IPv4, IPv6 also allows fragmentation and I suspect IPv6 will also be affected by this attack. This is an extension of the "Rose Attack" previously posted to the Bugtraq mailing list. I have decided to call this attack the "New Dawn attack" to differentiate this attack from the original "Rose Attack". The following explanation is currently up to date and will be updated as necessary: http://digital.net/~gandalf/Rose_Frag_Attack_Explained.htm http://digital.net/~gandalf/Rose_Frag_Attack_Explained.txt After I released the initial Rose Attack, Paul Starzetz mentioned that you can also cause high CPU utilization using a variation of this attack. The high CPU is caused by sending a large number of small fragments (with fragments missing) then sending the final fragment repetitively. Each time the last fragment is sent the CPU tries to reassemble the entire fragment with the associated allocate / free memory for the size of the fragment. Of the machines I have had access to, this attack has caused any number of the following problems: 1) Causes the CPU to spike, thus exhausting processor resources. 2) Legitimate fragmented packets are dropped intermittently (unfragmented packets get through fine) 3) Legitimate fragmented packets are no longer accepted by the machine under attack (unfragmented packets get through fine) until the fragmentation time exceeded timers expire. The following devices were tested. Some showed some or all of the above Symptoms, Mac OS/X and Mandrake 10 did not show any problems. See the above Rose_Frag_Attack_Explained.htm file for a table of the tests that were run (bottom of the file): 1) Microsoft Windows 2000 2) Mandrake Linux 9.2 3) Mandrake Linux 10 4) Microsoft Windows XP 5) Mac OS/X V10.3.5 The following vendors have been notified of this condition prior to the release of this announcement: 1) Microsoft 2) Cisco 3) Apple Apple has provided a software fix: CVE-IDs: CAN-2004-0744 Mandrake 10 / Linux Kernel v2.6 is not vulnerable. Software implementation of the New Dawn Attack: http://digital.net/~gandalf/NewDawn.c http://digital.net/~gandalf/NewDawn2.c http://digital.net/~gandalf/NewDawn3.c http://digital.net/~gandalf/NewDawn4.c You will need NetW(ib)(ox)(ag) for NewDawn3 and NewDawn4: http://www.laurentconstantin.com/en/netw/ I used: http://www.laurentconstantin.com/common/netw/download/v5/netw-ib-ox-ag-5.24. 0.tgz The suggested software solution to this attack is to peruse the Linux Kernel v2.6.8-rc4 /net/ipv4/ip_fragment.c code. They have done a pretty good job (with the exception of the small fragment buffer IMHO) of keeping the above problems to a minimum. If you have any questions please ask. Ken ------------------------------------------------------------------ Do not meddle in the affairs of wizards for they are subtle and quick to anger. Ken Hollis - Gandalf The White - gandalf@xxxxxxxxxxx - O- TINLC WWW Page - http://gandalf.home.digital.net/ Trace E-Mail forgery - http://gandalf.home.digital.net/spamfaq.html Trolls crossposts - http://gandalf.home.digital.net/trollfaq.html
