Red Hat Bugzilla – Bug 134275
"New Dawn" Attack
Last modified: 2007-11-30 17:06:54 EST
This message was posted to bugtraq on 2004-09-27
Securityfocus is claiming that at least RHEL2.1 is vulnerable to this
Can we have someone look into if we're vulnerable to this issue, and
can we verify that RHEL3 is not vulnerable.
We do not believe that this attack poses a serious threat to Red Hat
Enterprise Linux 2.1 and 3 systems.
In the Red Hat Enterprise Linux kernel, the ip_fragment.c routines
protects us from this by checking the memory used for IP fragments.
When the amount of memory being used by IP fragments is greater than
256K, the ip_evictor() routine is called to cleanup outstanding
Test results indicate that Red Hat Enterprise Linux does become
unresponsive when the attack is launched against them. The machines
however do not crash, and return to normal operation once the attack
Please note additionally, that this Denial of Service condition is
very similar to a typical network based Denial of Service attack.
Greetings and Salutations:
The condition you have dismissed *is* the problem. A Red Hat server is vulnerable to this
attack. You can (with a relatively small number of packets) drive the CPU utilization up.
Also, if the packets are formed correctly IDS's do not pick this up as an attack.
I would suggest that you look at the latest Linux 2.6 kernel. This issue has been fixed in
the ip_fragment.c routine. Very elegantly I might add.
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - firstname.lastname@example.org - O- TINLC
WWW Page - http://digital.net/~gandalf/
Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
Trolls crossposts - http://digital.net/~gandalf/trollfaq.html
The NewDawn reproducer does indeed cause heavy cpu usage on RHEL21. The
suggested backport from 2.6's ip_fragment.c does not make a noticable difference
in cpu usage when the attack is running. As noted before, the attack degrades
performance, but does not cause a crash. Also worth noting, the attack drove up
cpu usage on only one processor of a smp system, with the second processor
remaining 95% (or more) idle.