Graphics Programs Reference
In-Depth Information
The TCP connections don't actually become active until the final ACK packet
for the TCP handshake is checked. If the sequence number doesn't match
or the ACK never arrives, a connection is never created. This helps prevent
spoofed connection attempts, since the ACK packet requires information to
be sent to the source address of the initial SYN packet.
0x452
The Ping of Death
According to the specification for ICMP, ICMP echo messages can only have
2
16
, or 65,536, bytes of data in the data part of the packet. The data portion
of ICMP packets is commonly overlooked, since the important information is
in the header. Several operating systems crashed if they were sent ICMP echo
messages that exceeded the size specified. An ICMP echo message of this gar-
gantuan size became affectionately known as “The Ping of Death.” It was a
very simple hack exploiting a vulnerability that existed because no one ever
considered this possibility. It should be easy for you to write a program using
libnet that can perform this attack; however, it won't be that useful in the
real world. Modern systems are all patched against this vulnerability.
However, history tends to repeat itself. Even though oversized ICMP
packets won't crash computers anymore, new technologies sometimes
suffer from similar problems. The Bluetooth protocol, commonly used with
phones, has a similar ping packet on the L2CAP layer, which is also used to
measure the communication time on established links. Many implementations
of Bluetooth suffer from the same oversized ping packet problem. Adam
Laurie, Marcel Holtmann, and Martin Herfurt have dubbed this attack
Bluesmack
and have released source code by the same name that performs
this attack.
0x453
Teardrop
Another crashing DoS attack that came about for the same reason was called
teardrop. Teardrop exploited another weakness in several vendors' implemen-
tations of IP fragmentation reassembly. Usually, when a packet is fragmented,
the offsets stored in the header will line up to reconstruct the original packet
with no overlap. The teardrop attack sent packet fragments with overlapping
offsets, which caused implementations that didn't check for this irregular
condition to inevitably crash.
Although this specific attack doesn't work anymore, understanding the
concept can reveal problems in other areas. Although not limited to a Denial
of Service, a recent remote exploit in the OpenBSD kernel (which prides
itself on security) had to do with fragmented IPv6 packets. IP version 6 uses
more complicated headers and even a different IP address format than the
IPv4 most people are familiar with. Often, the same mistakes made in the
past are repeated by early implementations of new products.
