Bug 134275 - (IT51660) "New Dawn" Attack
"New Dawn" Attack
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Don Howard
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-09-30 16:15 EDT by Josh Bressers
Modified: 2007-11-30 17:06 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-11-02 20:05:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2004-09-30 16:15:10 EDT
This message was posted to bugtraq on 2004-09-27

Securityfocus is claiming that at least RHEL2.1 is vulnerable to this

Can we have someone look into if we're vulnerable to this issue, and
can we verify that RHEL3 is not vulnerable.
Comment 3 Josh Bressers 2004-10-21 12:45:28 EDT
We do not believe that this attack poses a serious threat to Red Hat 
Enterprise Linux 2.1 and 3 systems.

In the Red Hat Enterprise Linux kernel, the ip_fragment.c routines
protects us from this by checking the memory used for IP fragments. 
When the amount of memory being used by IP fragments is greater than
256K, the ip_evictor() routine is called to cleanup outstanding

Test results indicate that Red Hat Enterprise Linux does become 
unresponsive when the attack is launched against them.  The machines 
however do not crash, and return to normal operation once the attack 
Comment 4 Josh Bressers 2004-10-21 12:56:08 EDT
Please note additionally, that this Denial of Service condition is
very similar to a typical network based Denial of Service attack.
Comment 5 Ken Hollis 2004-11-08 22:10:39 EST
Greetings and Salutations:

The condition you have dismissed *is* the problem.  A Red Hat server is vulnerable to this 
attack.  You can (with a relatively small number of packets) drive the CPU utilization up.  
Also, if the packets are formed correctly IDS's do not pick this up as an attack.

I would suggest that you look at the latest Linux 2.6 kernel.  This issue has been fixed in 
the ip_fragment.c routine.  Very elegantly I might add.


Ken Hollis

Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - gandalf@digital.net - O- TINLC
WWW Page - http://digital.net/~gandalf/
Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
Trolls crossposts - http://digital.net/~gandalf/trollfaq.html
Comment 9 Don Howard 2005-11-02 20:05:42 EST
The NewDawn reproducer does indeed cause heavy cpu usage on RHEL21.  The
suggested backport from 2.6's ip_fragment.c does not make a noticable difference
in cpu usage when the attack is running.  As noted before, the attack degrades
performance, but does not cause a crash.  Also worth noting, the attack drove up
cpu usage on only one processor of a smp system, with the second processor
remaining 95% (or more) idle.

Note You need to log in before you can comment on or make changes to this bug.