Fragmentation DoS?

Fragmentation DoS?

[date]

To whom this may concern:

 It seems that when I run fragrouter-1.7 with a combination of
 -F3, -F4, -F5, and -T7 options, my linux kernel 2.4.18 will
 crash. I've tested this with fragrouter's 1.6 and 1.5, but have
 not yet been able to crash my kernel. To crash my 2.4.18 remotely
 with fragrouter 1.7 it usually takes about 15-20 tries. Maybe there
 is some sort of race condition occuring? I have also tried to
 crash my linux 2.2.x series kernals but have failed.

 Here are the sources I have been testing with:
 www.anzen.com/archive/research/fragrouter-1.7.tar.gz
 www.anzen.com/archive/research/fragrouter-1.6.tar.gz

 Here is the kernel oops message that I grabbed from messages:

general protection fault: 0000
CPU:    0
EIP:    0010:[<c0141099>]    Not tainted
EFLAGS: 00010246
eax: 00000000   ebx: ffffffff   ecx: 00000018   edx: c0141080
esi: c12c3e30   edi: ffffffff   ebp: ffffffff   esp: cfc95db0
ds: 0018   es: 0018   ss: 0018
Process sshd (pid: 59, stackpage=cfc95000)
Stack: 00000000 c0feb020 c01284ca ffffffff c12c3e30 00000001 00000001
000000f0
       c0feb000 c139c1a0 00000080 00000000 00000008 c12c3e30 00000246
c12c3e38
       000000f0 c01285f9 c12c3e30 000000f0 c0178612 00000000 00000000
00000008
Call Trace:    [<c01284ca>] [<c01285f9>] [<c0178612>] [<c0131a84>]
[<c0131b46>]
  [<c0131d88>] [<c0132428>] [<c01231fd>] [<c0123298>] [<c0151aa0>]
[<c01238a5>]
  [<c0123c03>] [<c012403c>] [<c0123f40>] [<c012fd56>] [<c012fca9>]
[<c01087eb>]

Code: f3 ab c7 43 48 00 00 00 00 8d 53 48 8d 43 4c 89 42 04 89 42

 Thanks for your time

 - nobu

Re: Fragmentation DoS?

[Matti Aarnio]

On Sun, Oct 20, 2002 at 04:18:12AM +0900, date wrote:
...
>  Here is the kernel oops message that I grabbed from messages:

This oops report is valid for your system, but provides no usefull
data, as actual memory layouts in different systems do vary. See:

   http://www.tux.org/lkml/#s4-3

Then post again.

> general protection fault: 0000
> CPU:    0
> EIP:    0010:[<c0141099>]    Not tainted
> EFLAGS: 00010246
> eax: 00000000   ebx: ffffffff   ecx: 00000018   edx: c0141080
> esi: c12c3e30   edi: ffffffff   ebp: ffffffff   esp: cfc95db0
> ds: 0018   es: 0018   ss: 0018
> Process sshd (pid: 59, stackpage=cfc95000)
> Stack: 00000000 c0feb020 c01284ca ffffffff c12c3e30 00000001 00000001
> 000000f0
>        c0feb000 c139c1a0 00000080 00000000 00000008 c12c3e30 00000246
> c12c3e38
>        000000f0 c01285f9 c12c3e30 000000f0 c0178612 00000000 00000000
> 00000008
> Call Trace:    [<c01284ca>] [<c01285f9>] [<c0178612>] [<c0131a84>]
> [<c0131b46>]
>   [<c0131d88>] [<c0132428>] [<c01231fd>] [<c0123298>] [<c0151aa0>]
> [<c01238a5>]
>   [<c0123c03>] [<c012403c>] [<c0123f40>] [<c012fd56>] [<c012fca9>]
> [<c01087eb>]
> 
> Code: f3 ab c7 43 48 00 00 00 00 8d 53 48 8d 43 4c 89 42 04 89 42
> 
>  Thanks for your time
> 
>  - nobu
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: Fragmentation DoS?

[Juri Haberland]

In article <200210191918.g9JJICT3032735@sh.7501.net> you wrote:
> To whom this may concern:
> 
>  It seems that when I run fragrouter-1.7 with a combination of
>  -F3, -F4, -F5, and -T7 options, my linux kernel 2.4.18 will
>  crash. I've tested this with fragrouter's 1.6 and 1.5, but have
>  not yet been able to crash my kernel. To crash my 2.4.18 remotely
>  with fragrouter 1.7 it usually takes about 15-20 tries. Maybe there
>  is some sort of race condition occuring? I have also tried to
>  crash my linux 2.2.x series kernals but have failed.
> 
>  Here are the sources I have been testing with:
>  www.anzen.com/archive/research/fragrouter-1.7.tar.gz
>  www.anzen.com/archive/research/fragrouter-1.6.tar.gz

You did read http://online.securityfocus.com/archive/1/296407 , did you?

Fragrouter-1.7 is a trojan!

Regards,
Juri

-- 
Juri Haberland  <juri@koschikode.com> 

Re: Fragmentation DoS?

[Mike Dresser]

On Fri, 25 Oct 2002, Juri Haberland wrote:

> You did read http://online.securityfocus.com/archive/1/296407 , did you?
>
> Fragrouter-1.7 is a trojan!

Furthermore, if you look at
http://marc.theaimsgroup.com/?l=cisco-nsp&m=103515530331228&w=2, you'll
see this person cut/pasted and changed a few words.

And the second link on the securityfocus page is that very lkml post :)

Mike

Re: Fragmentation DoS?

[Juri Haberland]

Mike Dresser wrote:

> Furthermore, if you look at
> http://marc.theaimsgroup.com/?l=cisco-nsp&m=103515530331228&w=2, you'll
> see this person cut/pasted and changed a few words.
>
> And the second link on the securityfocus page is that very lkml post :)


Arghl, I didn't look at the date (I had quite a bit of backlog with
respect to lkml...)

How embarrassing.

Sorry for the noise,
Juri

-- 
  If each of us have one object, and we exchange them,
     then each of us still has one object.
  If each of us have one idea,   and we exchange them,
     then each of us now has two ideas.

Re: Fragmentation DoS?

[Mike Dresser]

On Fri, 25 Oct 2002, Juri Haberland wrote:

> Arghl, I didn't look at the date (I had quite a bit of backlog with
> respect to lkml...)
>
> How embarrassing.
>
> Sorry for the noise,
> Juri

I wouldn't consider this noise at all, I don't remember anyone
commenting on it.  It's a good reminder to not believe everything that's
said on the internet :)

Now we're getting into noise :)

Mike