Lancom Systems LCOS 3.50 Server User Manual


 
LANCOM Reference Manual LCOS 3.50 ̈ Chapter 8: Firewall
164
Firewall
a new Denial of Service attack can result thereby if the memory of the victim
is exhausted.
Teardrop
The Teardrop attack works with overlapping fragments. After the first frag-
ment another one is sent, which overlaps completely within the first one, i.e.
the end of the second fragment is located before the end of the first. If - due
to the indolence of the IP stack programmer - it is simply counted "new end"
- "old end" when determining the number of bytes to copy for the reassembly,
then a negative value results, resp. a very large positive value, by which during
the copy operation parts of the memory of the victim are overwritten and
thereupon the workstation crashes.
The Firewall has again two possibilities:
Either the Firewall reassembles and rejects if necessary the entire packet, or it
holds only minimum offset and maximum end of the packet and rejects all
fragments, whose offset or end fall into this range. In the first case the imple-
mentation within the Firewall must be correct, so that the Firewall does not
become the victim itself. In the other case "half" reassembled packets accu-
mulate again at the victim.
Bonk/Fragrouter
Bonk is a variant of the Teardrop attack, which targets not at crashing the
attacked computer, but to trick simple port filter Firewalls, which accept also
fragmented packets and thus to penetrate into the network being protected.
During this attack, the UDP or TCP Header of the first fragment is overwritten
by skillful choice of the fragment offset. Thereby, simple port filter Firewalls
accept the first packet and the appropriate fragments while overwriting the
first packet's header by the second fragment. Thus suddenly a permissible
packet is created, which rather actually should be blocked by the Firewall.
Concerning this occurrence, the Firewall can itself either reassemble or filter
only the wrong fragment (and all following), leading to the problems already
indicated by either one of the other solutions above.
By default installation all items are configured as "secure", i.e. maxi-
mal 100 permissible half-open connections by different workstations
(see SYN Flooding), at most 50 half-open connections of a single
computer (see Portscan) of fragmented packets to be reassembled.