FreeBSD and the Rose Attack / NewDawn

[Gandalf The White]

Greetings and Salutations:

On 5/6/05 6:56 PM, "Mike Silbersack" <silby at silby.com> wrote:
> I'll take a look at it while I'm at BSDCan next week.  From your website's
> description of the attack, I don't see why FreeBSD would be affected so
> greatly... we must be wasting a lot of time traversing linked lists / etc.
> Mike "Silby" Silbersack

I realize that Mac OS/X has probably deviated significantly from its FreeBSD
roots, but OS/X also showed the same issues until Apple fixed the problem.

Take a look at the Linux implementation, they did a pretty good job.  It
consists of something like:
0) Store the size of packet in a variable
1) Add up the number of bytes the fragments received and continue to store /
accept fragments until ...
2) You get the final fragment.  If you have enough bytes to look like you
have the entire packet then send the fragment off for reassembly, otherwise
keep accepting fragments until you get enough fragments for the whole
packet.

The only problem I see with this is that if you have some kind of weird
routing issue where you a router or switch is duplicating fragments then the
fragmented packet may not get through unless all of the intermediate
fragments arrive before the final fragment.

Of course we won't mention some kind of injection / spoofing attack where
someone send spoofed fragmented packets to screw up the real data ...

Ken

---------------------------------------------------------------
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - gandalf at digital.net - O- TINLC
WWW Page - http://digital.net/~gandalf/
Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
Trolls crossposts - http://digital.net/~gandalf/trollfaq.html