Bug 134275 (IT51660)
Summary: | "New Dawn" Attack | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 2.1 | Reporter: | Josh Bressers <bressers> |
Component: | kernel | Assignee: | Don Howard <dhoward> |
Status: | CLOSED WONTFIX | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 2.1 | CC: | barryn, gandalf, jneedle, riel, tao |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | impact=moderate,public=20040927 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-11-03 01:05:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Josh Bressers
2004-09-30 20:15:10 UTC
We do not believe that this attack poses a serious threat to Red Hat Enterprise Linux 2.1 and 3 systems. In the Red Hat Enterprise Linux kernel, the ip_fragment.c routines protects us from this by checking the memory used for IP fragments. When the amount of memory being used by IP fragments is greater than 256K, the ip_evictor() routine is called to cleanup outstanding fragments. Test results indicate that Red Hat Enterprise Linux does become unresponsive when the attack is launched against them. The machines however do not crash, and return to normal operation once the attack finishes. Please note additionally, that this Denial of Service condition is very similar to a typical network based Denial of Service attack. Greetings and Salutations: The condition you have dismissed *is* the problem. A Red Hat server is vulnerable to this attack. You can (with a relatively small number of packets) drive the CPU utilization up. Also, if the packets are formed correctly IDS's do not pick this up as an attack. I would suggest that you look at the latest Linux 2.6 kernel. This issue has been fixed in the ip_fragment.c routine. Very elegantly I might add. See: http://digital.net/~gandalf/Rose_Frag_Attack_Explained.htm Ken Hollis --------------------------------------------------------------- Do not meddle in the affairs of wizards for they are subtle and quick to anger. Ken Hollis - Gandalf The White - gandalf - O- TINLC WWW Page - http://digital.net/~gandalf/ Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html Trolls crossposts - http://digital.net/~gandalf/trollfaq.html The NewDawn reproducer does indeed cause heavy cpu usage on RHEL21. The suggested backport from 2.6's ip_fragment.c does not make a noticable difference in cpu usage when the attack is running. As noted before, the attack degrades performance, but does not cause a crash. Also worth noting, the attack drove up cpu usage on only one processor of a smp system, with the second processor remaining 95% (or more) idle. |