[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
CIAC Bulletin I-019:Tools Generating IP Denial-of-Service Attacks
- From: "Ralph E. Wasmer Jr." <wazzer flinthills com>
- To: redhat-install-list redhat com
- Subject: CIAC Bulletin I-019:Tools Generating IP Denial-of-Service Attacks
- Date: Sat, 27 Dec 1997 08:55:11 -0600
Tear Drop and Land info
>Date: Tue, 23 Dec 1997 11:31:17 -0800 (PST)
>From: CIAC Mail User <ciac tholia llnl gov>
>To: ciac-bulletin tholia llnl gov
>Subject: CIAC Bulletin I-019:Tools Generating IP Denial-of-Service Attacks
>Sender: owner-ciac-bulletin tholia llnl gov
>Precedence: bulk
>Status: U
>
>[ For Public Release ]
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
> __________________________________________________________
>
> The U.S. Department of Energy
> Computer Incident Advisory Capability
> ___ __ __ _ ___
> / | /_\ /
> \___ __|__ / \ \___
> __________________________________________________________
>
> INFORMATION BULLETIN
>
> Tools Generating IP Denial-of-Service Attacks
>
>December 16, 1997 18:00 GMT Number I-019
>______________________________________________________________________________
>PROBLEM: Information has been received that two tools (Teardrop and
> Land) which exploit vulnerabilities in the TCP/IP protocol are
> being used to cause denial-of-service attacks.
>PLATFORM: Any platform using the TCP/IP protocol may be vulnerable. Check
> the vendor list included in this bulletin.
>DAMAGE: Use of these tools (Teardrop and Land) enable a remote user to
> launch a denial-of-service attack.
>SOLUTION: Apply either the patches or the workaround included in the
> bulletin.
>VULNERABILITY Attacks using these tools have been reported.
>ASSESSMENT:
>
>______________________________________________________________________________
>CIAC IS AWARE OF THE DISCUSSION ON BUGTRAQ REGARDING LINUX AND THIS
>VULNERABILITY. WE HAVE CHOSEN TO SEND THIS ADVISORY AS DISTRIBUTED.
>IT WILL BE UPDATED IF ANY OF THE ENCLOSED INFORMATION CHANGES.
>______________________________________________________________________________
>
>[ Start of CERT/CC Advisory ]
>- -----BEGIN PGP SIGNED MESSAGE-----
>
>=============================================================================
>CERT* Advisory CA-97.28
>Original issue date: Dec. 16, 1997
>
>Last revised: December 16, 1997 - Added vendor information for Digital
> Equipment Corporation and Hewlett-Packard.
>
> A complete revision history is at the end of this file.
>
>Topic: IP Denial-of-Service Attacks
>- -
>----------------------------------------------------------------------------
>-
>-
>
>The CERT Coordination Center has received reports of two attack tools
>(Teardrop and Land) that are being used to exploit two vulnerabilities in the
>TCP/IP protocol. Both tools enable a remote user to cause a denial of service.
>
>The CERT/CC team recommends installing patches from your vendor. Until you are
>able to do so, we urge you to use the workaround described in Section
>III.B. to reduce the likelihood of a successful attack using Land. There is
>no workaround for Teardrop.
>
>We will update this advisory as we receive additional information.
>Please check our advisory files regularly for updates that relate to your
>site.
>
>- -
>----------------------------------------------------------------------------
>-
>-
>
>I. Description
>
> In recent weeks there has been discussion on public mailing lists about
> two denial-of-service attack tools, Teardrop and Land. These attack tools
> have similar effects on some systems (namely, causing the victim machine
> to crash), but the tools exploit different vulnerabilities.
>
> The CERT Coordination Center has received several reports of sites being
> attacked by either one or both of these tools. It is important to note
> that it may be necessary for a system administrator to apply separate
> patches, if they exist, for each attack tool.
>
> Topic 1 - Teardrop
>
> Some implementations of the TCP/IP IP fragmentation re-assembly code do
> not properly handle overlapping IP fragments. Teardrop is a widely
> available attack tool that exploits this vulnerability.
>
> Topic 2 - Land
>
> Some implementations of TCP/IP are vulnerable to packets that are crafted
> in a particular way (a SYN packet in which the source address and port
> are the same as the destination--i.e., spoofed). Land is a widely
> available attack tool that exploits this vulnerability.
>
>II. Impact
>
> Topic 1 - Teardrop
>
> Any remote user can crash a vulnerable machine.
>
>
> Topic 2 - Land
>
> Any remote user that can send spoofed packets to a host can crash or
> "hang" that host.
>
>
>III. Solution
>
> CERT/CC urges you to immediately apply vendor patches if they are
> available. You may have to apply different patches for each attack tool.
>
> You may want to use the workaround for Land, so please review
> both Sections A and B below.
>
> A. Consult your vendor
>
> Appendix A contains information from vendors who provided input for
> this advisory. We will update the appendix as we receive more
> information. If you do not see your vendor's name, the CERT/CC did not
> hear from that vendor. Please contact your vendor directly.
>
> It is important to note that you may have to apply different
> patches for each attack tool.
>
> B. Apply the following workaround (Land only)
>
> A workaround for the Land attack tool is to block IP-spoofed packets.
> This workaround does not apply to the Teardrop attack tool because the
> Teardrop attack does not rely on IP-spoofed packets.
>
> Attacks like those of the Land tool rely on the use of forged packets,
> that is, packets where the attacker deliberately falsifies the origin
> address. With the current IP protocol technology, it is impossible to
> eliminate IP-spoofed packets. However, you can reduce the likelihood of
> your site's networks being used to initiate forged packets by filtering
> outgoing packets that have a source address different from that of your
> internal network.
>
> Currently, the best method to reduce the number of IP-spoofed packets
> exiting your network is to install filtering on your routers that
> requires packets leaving your network to have a source address from
> your internal network. This type of filter prevents a source IP
> spoofing attack from your site by filtering all outgoing packets that
> contain a source address from a different network.
>
> A detailed description of this type of filtering is available in the
> Internet Draft "Network Ingress Filtering: Defeating Denial of Service
> Attacks which employ IP Source Address Spoofing" by Paul Ferguson of
> Cisco Systems, Inc. and Daniel Senie of Blazenet, Inc. Note that
> although this document is labeled as an IETF "working draft," the
> content is complete and it is being proposed as an Informational RFC.
> We recommend it to both Internet Service Providers and sites that
> manage their own routers.
>
> The document is currently available at
>
>http://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-03.txt
>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>Appendix A - Vendor Information
>
>Below is a list of the vendors who have provided information for this
>advisory. We will update this appendix as we receive additional information.
>If you do not see your vendor's name, the CERT/CC did not hear from that
>vendor. Please contact the vendor directly.
>
>Cisco Systems
>=============
>
>Topic 1 - Teardrop
>
>No feedback.
>
>Topic 2 - Land
>
>IOS/7000 software, Catalyst 5xxx and 29xx LAN switches, BPX and IGX WAN
>switches and AXIS shelf appear to be vulnerable.
>PIX firewall and Centri firewall are not vulnerable.
>
>For more information reference URL:
>http://www.cisco.com/warp/public/770/land-pub.shtml
>
>
>Digital Equipment Corporation
>=============================
>
> This reported problem is not present for Digital's ULTRIX or
> Digital UNIX Operating Systems Software.
>
>
>The FreeBSD Project
>===================
>
>Topic 1 - Teardrop
>
>CSRG 4.4 is not vulnerable.
>
>Topic 2 - Land
>
>No feedback.
>
>
>Hewlett-Packard Corporation
>===========================
>
>HP is vulnerable, patches in process. Watch for HP Security Bulletin
>to be issued.
>
>
>IBM Corporation
>===============
>
>Topic 1 - Teardrop
>
>AIX is not vulnerable.
>
>Topic 2 - Land
>
>AIX is not vulnerable.
>
>
>Microsoft Corporation
>=====================
>
>Topic 1 - Teardrop
>
>Windows NT 4.0 with SP 3 and post SP 3 fixes applied and Windows 95
>with the appropriate patch are not vulnerable.
>Patch information is available at URL:
>ftp://ftp.microsoft.com/bussys/winnt/kb/Q154/1/74.TXT
>
>Topic 2 - Land
>
>Windows NT 4.0 with the appropriate patch is not vulnerable.
>Patch information is available at URL:
>ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/
>hotfixes-postSP3/land-fix/Q165005.txt
>
>Windows 95 without the WinSock 2.0 Update is not vulnerable.
>Patch information is available at URL:
>ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/
>hotfixes-postSP3/land-fix/Q177539.TXT
>
>
>NCR Corporation
>===============
>
>Topic 1 - Teardrop
>
>NCR TCP/IP implementation is not vulnerable.
>
>Topic 2 - Land
>
>No feedback.
>
>
>The NetBSD Project
>==================
>
>Topic 1 - Teardrop
>
>Versions 1.2 and above are not vulnerable.
>
>Topic 2 - Land
>
>No feedback.
>
>
>Red Hat Software
>================
>
>Topic 1 - Teardrop
>
>Linux is not vulnerable.
>
>Topic 2 - Land
>
>Linux is not vulnerable.
>
>- -
>---------------------------------------------------------------------------
>
>The CERT Coordination Center thanks Paul Ferguson and Daniel Senie for
>providing information on network ingress filtering.
>
>- -
>----------------------------------------------------------------------------
>
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident Response
>and Security Teams (see http://www.first.org/team-info/).
>
>
>CERT/CC Contact Information
>- - ----------------------------
>Email cert cert org
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
> and are on call for emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>Using encryption
> We strongly urge you to encrypt sensitive information sent by email. We
> can support a shared DES key or PGP. Contact the CERT/CC for more
> information.
>
> Location of CERT PGP key
> ftp://ftp.cert.org/pub/CERT_PGP.key
>
>Getting security information
> CERT publications and other security information are available from
> http://www.cert.org/
> ftp://ftp.cert.org/pub/
>
> CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
> To be added to our mailing list for advisories and bulletins, send
> email to
> cert-advisory-request cert org
> In the subject line, type
> SUBSCRIBE your-email-address
>
>- -
>---------------------------------------------------------------------------
>
>Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,
>and sponsorship information can be found in
>http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
>If you do not have FTP or web access, send mail to cert cert org with
>"copyright" in the subject line.
>
>*CERT is registered in the U.S. Patent and Trademark Office.
>
>- -
>---------------------------------------------------------------------------
>
>This file: ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land
> http://www.cert.org
> click on "CERT Advisories"
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Revision history
>
>Dec. 16, 1997 - Added vendor information for Digital Equipment
> Corporation and Hewlett-Packard.
>
>
>- -----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBNJazr3VP+x0t4w7BAQGl6gP/SUYR7d5SBwsDdNN9Uk+V9e6qGdu/FPci
>MmZfHozQHo7F3owbn+dlXxy+IHgZMMFUoyu8brI+zINjtqe/D2KHVwZ/7p2UsLWs
>/hEquXNAwnuJLq4qlt0PhaXDTkKcD5I5mXrmAhHaq3+K6HKzZoQtWGMLzN/BFnIi
>68OS89tN400=
>=7vK0
>- -----END PGP SIGNATURE-----
>[End of CERT/CC Advisory]
>
>______________________________________________________________________________
>
>CIAC wishes to acknowledge the contributions of CERT/CC for the
>information contained in this bulletin
>
>______________________________________________________________________________
>
>
>CIAC, the Computer Incident Advisory Capability, is the computer
>security incident response team for the U.S. Department of Energy
>(DOE) and the emergency backup response team for the National
>Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
>National Laboratory in Livermore, California. CIAC is also a founding
>member of FIRST, the Forum of Incident Response and Security Teams, a
>global organization established to foster cooperation and coordination
>among computer security teams worldwide.
>
>CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
>can be contacted at:
> Voice: +1 510-422-8193
> FAX: +1 510-423-8002
> STU-III: +1 510-423-2604
> E-mail: ciac llnl gov
>
>For emergencies and off-hour assistance, DOE, DOE contractor sites,
>and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
>8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
>or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
>Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
>duty person, and the secondary PIN number, 8550074 is for the CIAC
>Project Leader.
>
>Previous CIAC notices, anti-virus software, and other information are
>available from the CIAC Computer Security Archive.
>
> World Wide Web: http://ciac.llnl.gov/
> Anonymous FTP: ciac.llnl.gov (198.128.39.53)
> Modem access: +1 (510) 423-4753 (28.8K baud)
> +1 (510) 423-3331 (28.8K baud)
>
>CIAC has several self-subscribing mailing lists for electronic
>publications:
>1. CIAC-BULLETIN for Advisories, highest priority - time critical
> information and Bulletins, important computer security information;
>2. CIAC-NOTES for Notes, a collection of computer security articles;
>3. SPI-ANNOUNCE for official news about Security Profile Inspector
> (SPI) software updates, new features, distribution and
> availability;
>4. SPI-NOTES, for discussion of problems and solutions regarding the
> use of SPI products.
>
>Our mailing lists are managed by a public domain software package
>called Majordomo, which ignores E-mail header subject lines. To
>subscribe (add yourself) to one of our mailing lists, send the
>following request as the E-mail message body, substituting
>ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:
>
>E-mail to ciac-listproc llnl gov or majordomo tholia llnl gov:
> subscribe list-name
> e.g., subscribe ciac-notes
>
>You will receive an acknowledgment email immediately with a confirmation
>that you will need to mail back to the addresses above, as per the
>instructions in the email. This is a partial protection to make sure
>you are really the one who asked to be signed up for the list in question.
>
>If you include the word 'help' in the body of an email to the above address,
>it will also send back an information file on how to subscribe/unsubscribe,
>get past issues of CIAC bulletins via email, etc.
>
>PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
>communities receive CIAC bulletins. If you are not part of these
>communities, please contact your agency's response team to report
>incidents. Your agency's team will coordinate with CIAC. The Forum of
>Incident Response and Security Teams (FIRST) is a world-wide
>organization. A list of FIRST member organizations and their
>constituencies can be obtained via WWW at http://www.first.org/.
>
>This document was prepared as an account of work sponsored by an
>agency of the United States Government. Neither the United States
>Government nor the University of California nor any of their
>employees, makes any warranty, express or implied, or assumes any
>legal liability or responsibility for the accuracy, completeness, or
>usefulness of any information, apparatus, product, or process
>disclosed, or represents that its use would not infringe privately
>owned rights. Reference herein to any specific commercial products,
>process, or service by trade name, trademark, manufacturer, or
>otherwise, does not necessarily constitute or imply its endorsement,
>recommendation or favoring by the United States Government or the
>University of California. The views and opinions of authors expressed
>herein do not necessarily state or reflect those of the United States
>Government or the University of California, and shall not be used for
>advertising or product endorsement purposes.
>
>LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
>
>I-010: HP-UX CDE Vulnerability
>I-011: IBM AIX portmir command Vulnerability
>I-012: IBM AIX ftp client Vulnerability
>I-013: Count.cgi Buffer Overrun Vulnerabiliity
>I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages
>I-015: SGI IRIX Vulnerabilities (syserr and permissions programs)
>I-016: SCO /usr/bin/X11/scoterm Vulnerability
>I-017: statd Buffer Overrun Vulnerability
>I-018: FTP Bounce Vulnerability
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 4.0 Business Edition
>
>iQCVAwUBNJnJubnzJzdsy3QZAQFVXQP+MxCQSuLy5GNVAc9XPiRF8dzy8ZHEeG9m
>0lhf1CqU3I0e4i5cFZMbpUOPHNBCiJr1OBzSeHaJGaVU2Ht46nrGTP0kZf5MZbnd
>uHsnHWk2bOZV+kjwM6rFjdyTPMo/AAxcmlpkkQFFzS+QvNJNwwXLAxcN7cOMlHR3
>vSj3xAKL+gg=
>=45TU
>-----END PGP SIGNATURE-----
>
- -
"The significant problems we face can not be
solved at the same level of thinking
we were at when we created them."
Albert Einstein
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]