Fragmentation overlap attacks, The land and latierra attacks, The winnuke attack – Amer Networks E5Web GUI User Manual
Page 482

The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes,
which is the highest number that a 16-bit integer can store. When the value overflows, it jumps
back to a very small number. What happens then is a function of how well the victim's IP stack is
implemented.
cOS Core will never allow fragments through that would result in the total size exceeding 65535
bytes. In addition to that, there are configurable limits for IP packet sizes in cOS Core's advanced
settings.
This type of attack will show up in cOS Core event logs as drops with the IP rule name set to
LogOversizedPackets. The sender IP address may be spoofed.
6.6.4. Fragmentation Overlap Attacks
Teardrop and its cousins (including Bonk, Boink, Nestea) are Fragment Overlap Attacks. Many IP
stacks have shown erratic behavior (excessive resource exhaustion or crashes) when exposed to
overlapping fragments.
cOS Core protects fully against fragmentation overlap attacks. Overlapping fragments are never
allowed to pass through the system.
Teardrop and its followers will show up in cOS Core event logs as drops with the rule name set to
IllegalFrags. The sender IP address may be spoofed.
6.6.5. The Land and LaTierra Attacks
Land and LaTierra type attacks work by sending a packet to a victim and making the victim
respond back to itself, which in turn generates yet another response to itself and so on. This will
either bog the victim's machine down, or cause it to crash.
The attack is accomplished by using the victim's IP address in the source field of an IP packet as
well as in the destination field.
cOS Core protects against this attack by applying IP spoofing protection to all packets. In its
default configuration, it will simply compare arriving packets to the contents of the routing table;
if a packet arrives on an interface that is different from the interface where the system expects
the source to be, the packet will be dropped.
These type of attacks show up in cOS Core event logs as IP rule set drops with the rule name set
to AutoAccess, by default, or if the configuration contains custom Access Rule objects, the name of
the access rule that dropped the packet. The sender IP address is of no interest since it is always
the same as the destination IP address.
6.6.6. The WinNuke attack
The WinNuke attack works by connecting to a TCP service that does not have handlers for
"out-of-band" data (TCP segments with the URG bit set), but still accepts such data. This will
usually put the service in a tight loop that consumes all available CPU time.
One such service was the NetBIOS over TCP/IP service on Windows machines, which gave the
attack its name.
cOS Core protects against this in two ways:
•
With a careful inbound policy, the attack surface is greatly reduced. Only exposed services
could possibly become victims to the attack, and public services tend to be more well-written
than services expected to only serve the local network.
Chapter 6: Security Mechanisms
482