D-Link DFL-860E User Manual for DFL-260E - Page 356
Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea
View all D-Link DFL-860E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 356 highlights
6.6.4. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea Chapter 6. Security Mechanisms intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating systems whose ping commands refuse to generate oversized packets. The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes, which is the highest number that a 16-bit integer can store. When the value overflows, it jumps back to a very small number. What happens then is a function of how well the victim's IP stack is implemented. NetDefendOS will never allow fragments through that would result in the total size exceeding 65535 bytes. In addition to that, there are configurable limits for IP packet sizes in Advanced Settings. Ping of death will show up in NetDefendOS logs as drops with the rule name set to "LogOversizedPackets". The sender IP address may be spoofed. 6.6.4. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea Teardrop and its followers are fragment overlap attacks. Many IP stacks have shown erratic behavior (excessive resource exhaustion or crashes) when exposed to overlapping fragments. NetDefendOS protects fully against fragmentation overlap attacks. Overlapping fragments are never allowed to pass through the system. Teardrop and its followers will show up in NetDefendOS logs as drops with the rule name set to "IllegalFrags". The sender IP address may be spoofed. 6.6.5. The Land and LaTierra attacks The Land and LaTierra attacks works by sending a packet to a victim and making the victim respond back to itself, which in turn generates yet another response to itself, etc. This will either bog the victim's machine down, or make it crash. The attack is accomplished by using the victim's IP address in the source field of an IP packet as well as in the destination field. NetDefendOS protects against this attack by applying IP spoofing protection to all packets. In its default configuration, it will simply compare arriving packets to the contents of the routing table; if a packet arrives on an interface that is different from the interface where the system expects the source to be, the packet will be dropped. Land and LaTierra attacks will show up in NetDefendOS logs as drops with the rule name set to "AutoAccess" by default, or if the configuration contains custom Access Rules, the name of the Access rule that dropped the packet. The sender IP address is of no interest here since it is always the same as the destination IP address. 6.6.6. The WinNuke attack The WinNuke attack works by connecting to a TCP service that does not have handlers for "out-of-band" data (TCP segments with the URG bit set), but still accepts such data. This will usually put the service in a tight loop that consumes all available CPU time. One such service was the NetBIOS over TCP/IP service on Windows machines, which gave the attack its name. NetDefendOS protects against this in two ways: • With a careful inbound policy, the attack surface is greatly reduced. Only exposed services could possibly become victims to the attack, and public services tend to be more well-written than services expected to only serve the local network. 356