[Snort-devel] bug report: crash in spp_frag2.c during DoS attack

Martin Roesch roesch at ...402...
Tue Jul 24 21:49:31 EDT 2001


Thanks.  What are you using to generate the frags (so I can test
here...)?

    -Marty

Francois Baligant wrote:
> 
> System Architecture: Intel x86
> 
> OS: Redhat 7.0.90
> 
> snort.conf:
> 
> preprocessor frag2
> 
> Kind of DoS attack:
> 
> 07/24-23:00:48.134976 209.221.83.7 -> 195.74.192.146
> ICMP TTL:103 TOS:0x0 ID:24892 IpLen:20 DgmLen:1500 MF
> Frag Offset: 0x172   Frag Size: 0x6E
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 07/24-23:00:48.135120 161.58.176.41 -> 195.74.192.146
> UDP TTL:113 TOS:0x0 ID:13084 IpLen:20 DgmLen:1500 MF
> Frag Offset: 0x0   Frag Size: 0x6E
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 07/24-23:00:48.135386 209.221.83.7 -> 195.74.192.146
> ICMP TTL:103 TOS:0x0 ID:24892 IpLen:20 DgmLen:1500 MF
> Frag Offset: 0x22B   Frag Size: 0x6E
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 07/24-23:00:48.135509 161.58.176.185 -> 195.74.192.146
> UDP TTL:113 TOS:0x0 ID:42469 IpLen:20 DgmLen:1500 MF
> Frag Offset: 0xB9   Frag Size: 0x6E
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 07/24-23:00:48.135927 209.221.83.7 -> 195.74.192.146
> ICMP TTL:103 TOS:0x0 ID:24892 IpLen:20 DgmLen:1500 MF
> Frag Offset: 0x2E4   Frag Size: 0x6E
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
>         fast, around 90megabit and 20000 packets/second
> 
>         The attack seems to be a mix of UDP and ICMP frags
> 
> Version:
> -*> Snort! <*-
> Version 1.8.1-beta3 (Build 47)
> By Martin Roesch (roesch at ...402..., www.snort.org)
> 
> Core dump analysis:
> 
> #0  0x08078320 in InsertFrag (p=0xbffff3d8, ft=0x86ac830) at
> spp_frag2.c:535
> 535                     (ubi_btNodePtr)newfrag, (ubi_btNodePtr*)dup) ==
> FALSE)
> (gdb) bt
> #0  0x08078320 in InsertFrag (p=0xbffff3d8, ft=0x86ac830) at
> spp_frag2.c:535
> #1  0x08078137 in Frag2Defrag (p=0xbffff3d8) at spp_frag2.c:430
> #2  0x0805602a in Preprocess (p=0xbffff3d8) at rules.c:3427
> #3  0x0804b6ab in ProcessPacket (user=0x0, pkthdr=0xbffff888,
> pkt=0x80d9f10 "") at snort.c:512
> #4  0x0807907a in pcap_read_packet ()
> #5  0x08079e13 in pcap_loop ()
> #6  0x0804caf4 in InterfaceThread (arg=0x0) at snort.c:1441
> #7  0x0804b57b in main (argc=8, argv=0xbffffa3c) at snort.c:445
> #8  0x401aaf11 in __libc_start_main (main=0x804af1c <main>, argc=8,
> ubp_av=0xbffffa3c, init=0x804a2e0 <_init>,
>     fini=0x8082fdc <_fini>, rtld_fini=0x4000e214 <_dl_fini>,
> stack_end=0xbffffa34) at ../sysdeps/generic/libc-start.c:129
> 
> (gdb) print newfrag
> $1 = (Frag2Frag *) 0x84384b8
> (gdb) print *newfrag
> $2 = {Node = {Link = {0x0, 0x0, 0x0}, gender = 0 '\000', balance = 0
> '\000'},
>   data = 0x84384d8
> "ghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuv"...,
> size = 1480, offset = 28120}
> (gdb) print ft
> $3 = (FragTracker *) 0x86ac830
> (gdb) print *ft
> Cannot access memory at address 0x86ac830
> (gdb) print dup
> $4 = (Frag2Frag **) 0x421805c8
> 
> (up.. up..)
> 
> (gdb) print p
> $7 = (Packet *) 0xbffff3d8
> (gdb) print *p
> $8 = {pkth = 0xbffff888, pkt = 0x80d9f10 "", fddihdr = 0x0, fddisaps =
> 0x0, fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0,
>   trh = 0x0, trhllc = 0x0, trhmr = 0x0, sllh = 0x0, eh = 0x80d9f10, vh =
> 0x0, ehllc = 0x0, ehllcother = 0x0, ah = 0x0,
>   iph = 0x80d9f1e, orig_iph = 0x0, ip_options_len = 0, ip_options_data =
> 0x0, tcph = 0x0, orig_tcph = 0x0, tcp_options_len = 0,
>   tcp_options_data = 0x0, udph = 0x0, orig_udph = 0x0, icmph = 0x0,
> orig_icmph = 0x0, ext = 0x0,
>   data = 0x80d9f32
> "ghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuv"...,
> dsize = 1480, frag_flag = 1 '\001',
>   frag_offset = 3515, mf = 1 '\001', df = 0 '\000', rf = 0 '\000', sp = 0,
> dp = 0, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {
>     uri = 0x0, length = 0}, ssnptr = 0x0, ip_options = {{code = 0 '\000',
> len = 0, data = 0x0} <repeats 40 times>},
>   ip_option_count = 0, ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0
> '\000', len = 0, data = 0x0} <repeats 40 times>},
>   tcp_option_count = 0, tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000',
> packet_flags = 0, wire_packet = 0 '\000'}
> 
>         regards,
>         Francois
> --
> 
> Francois Baligant            _     Wanadoo Belgium NV/SA,
> Network Operation Center    ( )       a subsidiary of France Telecom
>                             /_\/   Lozenberg 22 - B-1932 Zaventem
> francois at ...565...    (__/\   tel: +32 2 717 17 17
> FB1-6BONE                          fax: +32 2 717 17 77
> 
> - "if you hold a unix shell to your ear, do you hear the c?"
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
\
--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list