Death

There have been a number of attacks at TCP/IP stacks, many of which break many different disparate operating systems. Most of these attacks attack the fragment reassembly code, which is often pretty sloppy, by sending fragments which reassemble into too large a packet or sending fragments which overlap in fiendish ways or fragmenting the header of the IP packet.

• Ping o' Death
  aka. fat ping
  Ping o' Death Page
  The maximum legal ping data size is 65507 bytes (which yeilds 65535 with ip header and ICMP echo request) or less if certain options are present. The Ping o' Death sends a ping of 65510 bytes. Naturally, any ping that large will be fragmented in transit. When the packet is reassembled, it exceeds 64K in length which broke most TCP/IP stacks resulting in internal buffer overflows. Originally, this was done from a windows machine since the windows version of ping allows pings of illegal length to be sent. The ping command on most unix systems cannot produce an oversize ping, although there are programs which are availible for unix which will do so. Affected most versions of unix, windows, VMS, netware, many DOS stacks, KA9q, routers and terminal servers, Mac's. Some systems even crashed when sending the ping 'o death. Performance may vary based on system load (if system is idle, nothing important may be overwritten). Depending on the system, the POD may result in crashes, lockups, or reboots. Flooding a host with hostile pings may be more effective and some systems are more vulnerable to differnt size pings.

  For linux, this is fixed in kernel version 2.0.24 and later 2.0.x kernels.

  A machine behind a linux box used as a router or firewall is probably safe if the kernel was compiled with the option to always reassemble fragments enabled.

• Teardrop or tear
• Newtear
• Bork
• Land
  A SYN packet with the source address is forged to be the same as the destination.
• winnuke
• jolt
• ssping
• exploit
• synk4
• smurf
  Invoves ICMP echo requests (pings) with forged return addresses of the ultimate victim being sent to broadcast addresses on various networks causing the machines on those networks to flood the ultimate victim. There is no easy solution for the victim site since the real remedies are needed at the intermediate sites. The intermediate sites firewall needs to stop IP broadcasts from entering from the outside and prevent masquerading packets (both things it should be doing anyway). To protect a victim site, a firewall could probably keep a list of the last n hosts which ECHO requests had been sent to and squash all echo replies which did not come from those hosts.

SYN flooding

Here are some attacks that don't fit the ping of death style (i.e. don't attack the tcp stack itself).

• sunkill.c attacks telnetd

This file is maintained by Mark Whitis (whitis@freelabs.com).

Senior Engineer for hire Software Development - Electronic Design - Embedded Systems - Device Drivers - System/Network Administration and Security - Motor Control, RobotCNC - Linux/Un*x - 25+ years experience The author of these pages is looking for a new gig. [RESUME]

Engineers and electronic hobbyists: The new Open Symbol Project is creating open schematic symbols and PCB footprints for a variety of different CAD packages.

Mark Whitis's Website

Home Page

Linux

Book: Linux Programming Unleashed

My Resume

Genealogical Data

Contact Info

Security

About

All email messages received must pass the turing test or they will be considered SPAM. If it could have been written by a machine, it was.

Under no circumstances are you to email me with questions regarding windoze, any other microsoft operating system or application, or any software which runs under any form of windoze.

*