intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating
systems whose ping commands refuse to generate oversized packets.
The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes, which
is the highest number that a 16-bit integer can store. When the value overflows, it jumps back to a
very small number. What happens then is a function of how well the victim's IP stack is
implemented.
NetDefendOS will never allow fragments through that would result in the total size exceeding
65535 bytes. In addition to that, there are configurable limits for IP packet sizes in Advanced
Settings.
Ping of death will show up in NetDefendOS logs as drops with the rule name set to
"LogOversizedPackets". The sender IP address may be spoofed.
6.6.4. Fragmentation overlap attacks: Teardrop, Bonk,
Boink and Nestea
Teardrop and its followers are fragment overlap attacks. Many IP stacks have shown erratic
behavior (excessive resource exhaustion or crashes) when exposed to overlapping fragments.
NetDefendOS protects fully against fragmentation overlap attacks. Overlapping fragments are never
allowed to pass through the system.
Teardrop and its followers will show up in NetDefendOS logs as drops with the rule name set to
"IllegalFrags". The sender IP address may be spoofed.
6.6.5. The Land and LaTierra attacks
The Land and LaTierra attacks works by sending a packet to a victim and making the victim
respond back to itself, which in turn generates yet another response to itself, etc. This will either bog
the victim's machine down, or make it crash.
The attack is accomplished by using the victim's IP address in the source field of an IP packet as
well as in the destination field.
NetDefendOS protects against this attack by applying IP spoofing protection to all packets. In its
default configuration, it will simply compare arriving packets to the contents of the routing table; if
a packet arrives on an interface that is different from the interface where the system expects the
source to be, the packet will be dropped.
Land and LaTierra attacks will show up in NetDefendOS logs as drops with the rule name set to
"AutoAccess" by default, or, if you have written custom Access rules, the name of the Access rule
that dropped the packet. The sender IP address is of no interest here since it is always the same as
the destination IP address.
6.6.6. The WinNuke attack
The WinNuke attack works by connecting to a TCP service that does not have handlers for
"out-of-band" data (TCP segments with the URG bit set), but still accepts such data. This will
usually put the service in a tight loop that consumes all available CPU time.
One such service was the NetBIOS over TCP/IP service on Windows machines, which gave the
attack its name.
NetDefendOS protects against this in two ways:
•
With a careful inbound policy, the attack surface is greatly reduced. Only exposed services could
possibly become victims to the attack, and public services tend to be more well-written than
services expected to only serve the local network.
6.6.4. Fragmentation overlap attacks:
Teardrop, Bonk, Boink and Nestea
Chapter 6. Security Mechanisms
277
Summary of Contents for 800 - DFL 800 - Security Appliance
Page 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Page 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Page 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Page 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Page 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Page 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Page 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Page 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Page 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Page 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Page 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Page 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Page 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Page 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Page 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...