[e2e] Legal fragment sizes

Fernando Gont fernando at gont.com.ar
Wed May 17 05:33:28 PDT 2006 

At 08:53 17/05/2006, David P. Reed wrote:

IIRC, the "Ping of Death" attack that lead to a blue-screen in 
Windows exploited this idea.

There might still be other systems with problems to handle these packets....

Kindest regards,
Fernando Gont




>I'd bet there is at least one IP stack that would overwrite kernel 
>memory if you play this trick on it.   :-)
>
>Somebody who wanted to test this hypothesis could start sending lots 
>of these "extreme" packets out to random addresses, followed by 
>tests to see if the addressed computers crash (ping every second for 
>five seconds).
>
>Probably you should consult your lawyer before carrying out this 
>experiment, if you don't work for the security dept. of the 
>organization you are probing.
>
>Jeno Jeno wrote:
>>Oops, I forgot the units for fragment-offset field and total
>>length. Yes, whatever you have mentioned should be
>>possible.
>>
>>On 5/17/06, *Jeno Jeno* < su.jeno at gmail.com 
>><mailto:su.jeno at gmail.com>> wrote:
>>
>>     The fragment-offset field is just 13-bits. So you cannot
>>     specify a fragment offset of ~64k.
>>
>>
>>     On 5/16/06, *Fernando Gont* < fernando at gont.com.ar
>>     <mailto:fernando at gont.com.ar>> wrote:
>>
>>         Folks,
>>
>>         I was going through the IP specs, and there was a point on which
>>         there seems to be some ambiguity (or, well, at least it's not that
>>         clear to me). I wonder what your interpretation is.
>>
>>         Is the maximum "legal" IP payload defined by "Total_Length -
>>         IP_Header" ( i.e., around 65K), or should it be considered to
>>         be the
>>         maximum payload that can be encapsulated, by using the "trick"
>>         described bellow? (i.e., which would then result in a maximum
>>         payload
>>         size of around 128K)
>>
>>         (The "trick" would be to send a ~65K fragment with the MF bit set,
>>         followed by a second 65K fragment with an offset of ~65K)
>>
>>         Thanks!
>>
>>         --
>>         Fernando Gont
>>         e-mail: fernando at gont.com.ar <mailto:fernando at gont.com.ar> ||
>>         fgont at acm.org <mailto:fgont at acm.org>
>>         PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>>
>>
>>
>>
>>
>>
>
>--
>Fernando Gont
>e-mail: fernando at gont.com.ar || fgont at acm.org
>PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>

More information about the end2end-interest mailing list