Bug 134275 (IT51660)

Summary: "New Dawn" Attack
Product: Red Hat Enterprise Linux 2.1 Reporter: Josh Bressers <bressers>
Component: kernelAssignee: Don Howard <dhoward>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1CC: barryn, gandalf, jneedle, riel, tao
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20040927
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-11-03 01:05:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2004-09-30 20:15:10 UTC 
This message was posted to bugtraq on 2004-09-27
http://www.securityfocus.com/archive/1/376490/2004-09-25/2004-10-01/0


Securityfocus is claiming that at least RHEL2.1 is vulnerable to this
issue.
http://www.securityfocus.com/bid/11258


Can we have someone look into if we're vulnerable to this issue, and
can we verify that RHEL3 is not vulnerable.
Comment 3 Josh Bressers 2004-10-21 16:45:28 UTC 
We do not believe that this attack poses a serious threat to Red Hat 
Enterprise Linux 2.1 and 3 systems.

In the Red Hat Enterprise Linux kernel, the ip_fragment.c routines
protects us from this by checking the memory used for IP fragments. 
When the amount of memory being used by IP fragments is greater than
256K, the ip_evictor() routine is called to cleanup outstanding
fragments.  

Test results indicate that Red Hat Enterprise Linux does become 
unresponsive when the attack is launched against them.  The machines 
however do not crash, and return to normal operation once the attack 
finishes.
Comment 4 Josh Bressers 2004-10-21 16:56:08 UTC 
Please note additionally, that this Denial of Service condition is
very similar to a typical network based Denial of Service attack.
Comment 5 Ken Hollis 2004-11-09 03:10:39 UTC 
Greetings and Salutations:

The condition you have dismissed *is* the problem.  A Red Hat server is vulnerable to this 
attack.  You can (with a relatively small number of packets) drive the CPU utilization up.  
Also, if the packets are formed correctly IDS's do not pick this up as an attack.

I would suggest that you look at the latest Linux 2.6 kernel.  This issue has been fixed in 
the ip_fragment.c routine.  Very elegantly I might add.

See:
http://digital.net/~gandalf/Rose_Frag_Attack_Explained.htm

Ken Hollis

---------------------------------------------------------------
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - gandalf - O- TINLC
WWW Page - http://digital.net/~gandalf/
Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
Trolls crossposts - http://digital.net/~gandalf/trollfaq.html
Comment 9 Don Howard 2005-11-03 01:05:42 UTC 
The NewDawn reproducer does indeed cause heavy cpu usage on RHEL21.  The
suggested backport from 2.6's ip_fragment.c does not make a noticable difference
in cpu usage when the attack is running.  As noted before, the attack degrades
performance, but does not cause a crash.  Also worth noting, the attack drove up
cpu usage on only one processor of a smp system, with the second processor
remaining 95% (or more) idle.