[Dshield] Port 16 traffic

Chris Brenton cbrenton at chrisbrenton.org
Fri Dec 23 16:54:16 GMT 2005


On Fri, 2005-12-23 at 07:25 -0800, jmulkerin wrote:
>
> [Root]system-critical-00440: Fragmented traffic! From 
> 216.234.234.34:20864 to DNSSERVER:16, proto UDP (zone Untrust, int 
> ethernet1). Occurred 1 times. (2005-12-23 07:18:39)
> 
> We have nothing running on port 16 and haven't found any covert channels 
> running on port 16.

My guess is its a resource exhaustion attack against the firewall. Port
16 has been chosen because it really does not matter. Its more about
chewing up memory on the stateful inspection firewall. 

A former student of mine wrote this up a while ago:
http://digital.net/~gandalf/Rose_Frag_Attack_Explained.htm

Problem is vendors have done very little and the attack is still valid.
In testing I've performed I've been able to get PIX to drop legitimate
fragments using a technique similar to the one described in the paper.
I've been able to get Netscreen firewalls to drop even non-fragmented
traffic and FW-1 to run about 30% higher in CPU.

So watch your levels and watch your drops (at the Ethernet level) to see
if this attack is whacking legitimate traffic. If it does, this can be
resolved by running something like Netfilter or pf in front of your main
firewall. If address space is an issue, run them in bridging mode.

HTH,
Chris




More information about the list mailing list