因特网与TCP IP安全.ppt

第五章 因特网与TCP/IP安全 主要内容： TCP/IP协议体系结构 IP协议安全 TCP协议安全 UDP协议安全 ARP/RARP协议 ICMP协议 网络服务 ISO/OSI TCP/IP PROTOCOL RM TCP/IP PROTOCOL SUITE INTERNET ADDRESS PROTOCOL ENCAPSULATION IP PROTOCOL PING OF DEATH Date: 21 October 1996 Vulnerable Systems : Linux, Solaris x86, and Macintosh systems are often vulnerable Description: gazillions of machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets) Compromise: Stupid DOS Details : /sploits/ping-o-death.html Why it’s happening Background Information on ICMP ECHO (ping): IP packets as per RFC-791 can be up to 65,535 (2^16-1) octets long, which includes the header length (typically 20 octets if no IP options are specified). Packets that are bigger than the maximum size the underlying layer can handle (the MTU) are fragmented into smaller packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically 1500. Why it’s happening An ICMP ECHO request lives inside the IP packet, consisting of eight octets of ICMP header information (RFC-792) followed by the number of data octets in the ping request. Hence the maximum allowable size of the data area is 65535 - 20 - 8 = 65507 octets. What causes machine to crash from this? It’s possible to send an illegal echo packet with more than 65507 octets of data due to the way the fragmentation is performed. The fragmentation relies on an offset value in each fragment to determine where the individual fragment goes upon reassembly. Thus on the last fragment, it is possible to combine a valid offset with a suitable fragment size such that (offset + size) 65535. Since typical machines dont process the packet until they have all fragments and have tried to reassemble it, there is the possibility for overflow of 16 bit internal variables, which can lead to system crashes, reboots, kernel dumps and the like. How to test if youre vulnerable Windows 95 or NT box (3.51 or 4), and run the following command: ping