‹header›

‹date/time›

‹footer›

‹#›

‹#›

Body Text

Second Level

Third Level

Fourth Level

Fifth Level

Slide Reference Number

•

•Significant increases in network-based Denial of Srevice attacks have been observed in the last year.

•

•The “Teardrop” attack affects mostly Linux and Win95/NT hosts (among others). It sends a 2-fragment IP packet, with one fragment too small. This causes IP stacks to overwrite a large amount of memory and crash. •The “Bonk” and “Boink” attacks reverse the “Teardrop” attack in that they set a fragment offset larger than the packet size. These exploits affect Windows machines. “Bonk” attacks only port 53 on these machines, which isn’t always open. “Boink” was released in order to send the attack packets to a range of ports, in order to make the attack more usable. •The “NewTear” attack affects Windows machines as well. It is simply a modified version of “Teardrop” which changes padding length and increases the UDP header length field to twice the size of the packet. •The “Ping of Death” attack affects many IP stacks, sending a fragmented packet which, when reassembled, is larger than 65536 bytes. This causes an IP stack not protecting against the attack to overwrite the buffer used to reassemble the packet.

•

•Host Requirements RFC-1122 Section 3.2.2.6 states “An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.”

•Patches are available for free UNIX-ish operating systems.

•

•Cisco bugfixes which address some of the problems related to protection against Denial of Service attacks:

•BugID CSCdj35407 - “fast drop” ACL code - integrated in 11.1(14)CA

•BugID CSCdj35856 - ACL logging throttles - integrated in 11.1(15)CA

•

•http://www.quadrunner.com/~chuegen/smurf/ contains detailed information about the “Smurf” and “Fraggle” attacks.

•

•http://ds.internic.net/rfc/rfc2267.txt is a recently-published informational RFC describing implementation of filters to protect against origination and reception of some spoofed packets.

•

•http://www.security.mci.net/dostracker/ contains information about the MCI-developed DoSTracker tool designed to automate the process of tracking spoofed packets through a network using Cisco routers.

•

•Other DoS attack information:

•“Defining Strategies to Protect Against TCP SYN Denial of Service Attacks”

•http://www.cisco.com/warp/public/707/4.html

•“Defining Strategies to Protect Against UDP Diagnostic Port Denial of Service Attacks”

•http://www.cisco.com/warp/public/707/3.html

•