[e2e] Legal fragment sizes
fernando at gont.com.ar
Wed May 17 05:33:28 PDT 2006
At 08:53 17/05/2006, David P. Reed wrote:
IIRC, the "Ping of Death" attack that lead to a blue-screen in
Windows exploited this idea.
There might still be other systems with problems to handle these packets....
>I'd bet there is at least one IP stack that would overwrite kernel
>memory if you play this trick on it. :-)
>Somebody who wanted to test this hypothesis could start sending lots
>of these "extreme" packets out to random addresses, followed by
>tests to see if the addressed computers crash (ping every second for
>Probably you should consult your lawyer before carrying out this
>experiment, if you don't work for the security dept. of the
>organization you are probing.
>Jeno Jeno wrote:
>>Oops, I forgot the units for fragment-offset field and total
>>length. Yes, whatever you have mentioned should be
>>On 5/17/06, *Jeno Jeno* < su.jeno at gmail.com
>><mailto:su.jeno at gmail.com>> wrote:
>> The fragment-offset field is just 13-bits. So you cannot
>> specify a fragment offset of ~64k.
>> On 5/16/06, *Fernando Gont* < fernando at gont.com.ar
>> <mailto:fernando at gont.com.ar>> wrote:
>> I was going through the IP specs, and there was a point on which
>> there seems to be some ambiguity (or, well, at least it's not that
>> clear to me). I wonder what your interpretation is.
>> Is the maximum "legal" IP payload defined by "Total_Length -
>> IP_Header" ( i.e., around 65K), or should it be considered to
>> be the
>> maximum payload that can be encapsulated, by using the "trick"
>> described bellow? (i.e., which would then result in a maximum
>> size of around 128K)
>> (The "trick" would be to send a ~65K fragment with the MF bit set,
>> followed by a second 65K fragment with an offset of ~65K)
>> Fernando Gont
>> e-mail: fernando at gont.com.ar <mailto:fernando at gont.com.ar> ||
>> fgont at acm.org <mailto:fgont at acm.org>
>> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>e-mail: fernando at gont.com.ar || fgont at acm.org
>PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
More information about the end2end-interest