Hello I'm using Suse Linux 7.2 as Gateway for connecting Internet. Now I've been testing my Gateway with Nessus. And I got this Message back. -- Vulnerability found on port general/tcp It was possible to make the remote server crash using the 'teardrop' attack. A cracker may use this attack to shut down this server, thus preventing your network from working properly. Solution : contact your operating system vendor for a patch. Risk factor : High -- Do's anybody know what Patch I need ore what I can do in this case? Juerg
Hi! Did it really crash? Christian
Hi!
Did it really crash?
I guess not. Otherwise, reading the message might be a non-trivial problem. Security vulnerability scanners are a good approach, but they fail to be precise wrt the meanings of the reactions of probes. Since ages, the scanners report a vulnerable popper program listening on the pop3 port in SuSE installations, but this was not true b/c the daemon we shipped was patched against the bugs that people found over the time.
Christian
Thanks,
Roman.
--
- -
| Roman Drahtmüller
On Friday 19 October 2001 16:09, jst wrote:
Hello
I'm using Suse Linux 7.2 as Gateway for connecting Internet. Now I've been testing my Gateway with Nessus. And I got this Message back.
-- Vulnerability found on port general/tcp
It was possible to make the remote server crash using the 'teardrop' attack.
check out http://www.sans.org/infosecFAQ/threats/frag_attacks.htm for details. the below info is cut & pasted from http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-5.html: 5.3 Filtering out Ping of Death Linux boxes are now immune to the famous Ping of Death, which involves sending an illegally-large ICMP packet which overflows buffers in the TCP stack on the receiver and causes havoc. If you are protecting boxes which might be vulnerable, you could simply block ICMP fragments. Normal ICMP packets aren't large enough to require fragmentation, so you won't break anything except big pings. I have heard (unconfirmed) reports that some systems required only the last fragment of an oversize ICMP packet to corrupt them, so blocking only the first fragment is not recommended. While the exploit programs I have seen all use ICMP, there is no reasons that TCP or UDP fragments (or an unknown protocol) could not be used for this attack, so blocking ICMP fragments is only a temporary solution. 5.4 Filtering out Teardrop and Bonk Teardrop and Bonk are two attacks (mainly against Microsoft Windows NT machines) which rely on overlapping fragments. Having your Linux router do defragmentation, or disallowing all fragments to your vulnerable machines are the other options. 5.5 Filtering out Fragment Bombs Some less-reliable TCP stacks are said to have problems dealing with large numbers of fragments of packets when they don't receive all the fragments. Linux does not have this problem. You can filter out fragments (which might break legitimate uses) or compile your kernel with `IP: always defragment' set to `Y' (only if your Linux box is the only possible route for these packets).
participants (4)
-
Christian Westphal
-
jst
-
Roman Drahtmueller
-
Thomas Sjogren