[Snort-devel] bug report: crash in spp_frag2.c during DoS attack

Francois Baligant francois at ...565...
Tue Jul 24 21:19:28 EDT 2001


System Architecture: Intel x86

OS: Redhat 7.0.90

snort.conf:

preprocessor frag2

Kind of DoS attack:


07/24-23:00:48.134976 209.221.83.7 -> 195.74.192.146
ICMP TTL:103 TOS:0x0 ID:24892 IpLen:20 DgmLen:1500 MF
Frag Offset: 0x172   Frag Size: 0x6E
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/24-23:00:48.135120 161.58.176.41 -> 195.74.192.146
UDP TTL:113 TOS:0x0 ID:13084 IpLen:20 DgmLen:1500 MF
Frag Offset: 0x0   Frag Size: 0x6E
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/24-23:00:48.135386 209.221.83.7 -> 195.74.192.146
ICMP TTL:103 TOS:0x0 ID:24892 IpLen:20 DgmLen:1500 MF
Frag Offset: 0x22B   Frag Size: 0x6E
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/24-23:00:48.135509 161.58.176.185 -> 195.74.192.146
UDP TTL:113 TOS:0x0 ID:42469 IpLen:20 DgmLen:1500 MF
Frag Offset: 0xB9   Frag Size: 0x6E
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/24-23:00:48.135927 209.221.83.7 -> 195.74.192.146
ICMP TTL:103 TOS:0x0 ID:24892 IpLen:20 DgmLen:1500 MF
Frag Offset: 0x2E4   Frag Size: 0x6E
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

	fast, around 90megabit and 20000 packets/second

	The attack seems to be a mix of UDP and ICMP frags

Version:
-*> Snort! <*-
Version 1.8.1-beta3 (Build 47)
By Martin Roesch (roesch at ...402..., www.snort.org)

Core dump analysis:

#0  0x08078320 in InsertFrag (p=0xbffff3d8, ft=0x86ac830) at
spp_frag2.c:535
535                     (ubi_btNodePtr)newfrag, (ubi_btNodePtr*)dup) ==
FALSE)
(gdb) bt
#0  0x08078320 in InsertFrag (p=0xbffff3d8, ft=0x86ac830) at
spp_frag2.c:535
#1  0x08078137 in Frag2Defrag (p=0xbffff3d8) at spp_frag2.c:430
#2  0x0805602a in Preprocess (p=0xbffff3d8) at rules.c:3427
#3  0x0804b6ab in ProcessPacket (user=0x0, pkthdr=0xbffff888,
pkt=0x80d9f10 "") at snort.c:512
#4  0x0807907a in pcap_read_packet ()
#5  0x08079e13 in pcap_loop ()
#6  0x0804caf4 in InterfaceThread (arg=0x0) at snort.c:1441
#7  0x0804b57b in main (argc=8, argv=0xbffffa3c) at snort.c:445
#8  0x401aaf11 in __libc_start_main (main=0x804af1c <main>, argc=8,
ubp_av=0xbffffa3c, init=0x804a2e0 <_init>,
    fini=0x8082fdc <_fini>, rtld_fini=0x4000e214 <_dl_fini>,
stack_end=0xbffffa34) at ../sysdeps/generic/libc-start.c:129

(gdb) print newfrag
$1 = (Frag2Frag *) 0x84384b8
(gdb) print *newfrag
$2 = {Node = {Link = {0x0, 0x0, 0x0}, gender = 0 '\000', balance = 0
'\000'},
  data = 0x84384d8
"ghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuv"...,
size = 1480, offset = 28120}
(gdb) print ft
$3 = (FragTracker *) 0x86ac830
(gdb) print *ft
Cannot access memory at address 0x86ac830
(gdb) print dup
$4 = (Frag2Frag **) 0x421805c8

(up.. up..)

(gdb) print p
$7 = (Packet *) 0xbffff3d8
(gdb) print *p
$8 = {pkth = 0xbffff888, pkt = 0x80d9f10 "", fddihdr = 0x0, fddisaps =
0x0, fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0,
  trh = 0x0, trhllc = 0x0, trhmr = 0x0, sllh = 0x0, eh = 0x80d9f10, vh =
0x0, ehllc = 0x0, ehllcother = 0x0, ah = 0x0,
  iph = 0x80d9f1e, orig_iph = 0x0, ip_options_len = 0, ip_options_data =
0x0, tcph = 0x0, orig_tcph = 0x0, tcp_options_len = 0,
  tcp_options_data = 0x0, udph = 0x0, orig_udph = 0x0, icmph = 0x0,
orig_icmph = 0x0, ext = 0x0,
  data = 0x80d9f32
"ghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuv"...,
dsize = 1480, frag_flag = 1 '\001',
  frag_offset = 3515, mf = 1 '\001', df = 0 '\000', rf = 0 '\000', sp = 0,
dp = 0, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {
    uri = 0x0, length = 0}, ssnptr = 0x0, ip_options = {{code = 0 '\000',
len = 0, data = 0x0} <repeats 40 times>},
  ip_option_count = 0, ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0
'\000', len = 0, data = 0x0} <repeats 40 times>},
  tcp_option_count = 0, tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000',
packet_flags = 0, wire_packet = 0 '\000'}



	regards,
	Francois
-- 

Francois Baligant            _     Wanadoo Belgium NV/SA,
Network Operation Center    ( )       a subsidiary of France Telecom
                            /_\/   Lozenberg 22 - B-1932 Zaventem
francois at ...565...    (__/\   tel: +32 2 717 17 17
FB1-6BONE                          fax: +32 2 717 17 77

- "if you hold a unix shell to your ear, do you hear the c?"





More information about the Snort-devel mailing list