[Snort-devel] bug report: crash in spp_frag2.c during DoS attack

Francois Baligant francois at ...565...
Tue Jul 24 21:52:18 EDT 2001


	It's a tcpdump-file from a part of a real attack. Unfortunately
	snort do not crash when reading this file so I guess the evil
	packet wasn't logged (shame).

	I have no idea which DDoS tools was used to generate the
	attack.

	Francois
-- 

Francois Baligant            _     Wanadoo Belgium NV/SA,
Network Operation Center    ( )       a subsidiary of France Telecom
                            /_\/   Lozenberg 22 - B-1932 Zaventem
francois at ...565...    (__/\   tel: +32 2 717 17 17
FB1-6BONE                          fax: +32 2 717 17 77

- "if you hold a unix shell to your ear, do you hear the c?"

On Tue, 24 Jul 2001, Martin Roesch wrote:

> Thanks.  What are you using to generate the frags (so I can test
> here...)?
>
>     -Marty
>
> Francois Baligant wrote:
> >
> > System Architecture: Intel x86
> >
> > OS: Redhat 7.0.90
> >
> > snort.conf:
> >
> > preprocessor frag2
> >
> > Kind of DoS attack:
> >
> > 07/24-23:00:48.134976 209.221.83.7 -> 195.74.192.146
> > ICMP TTL:103 TOS:0x0 ID:24892 IpLen:20 DgmLen:1500 MF
> > Frag Offset: 0x172   Frag Size: 0x6E
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > 07/24-23:00:48.135120 161.58.176.41 -> 195.74.192.146
> > UDP TTL:113 TOS:0x0 ID:13084 IpLen:20 DgmLen:1500 MF
> > Frag Offset: 0x0   Frag Size: 0x6E
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > 07/24-23:00:48.135386 209.221.83.7 -> 195.74.192.146
> > ICMP TTL:103 TOS:0x0 ID:24892 IpLen:20 DgmLen:1500 MF
> > Frag Offset: 0x22B   Frag Size: 0x6E
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > 07/24-23:00:48.135509 161.58.176.185 -> 195.74.192.146
> > UDP TTL:113 TOS:0x0 ID:42469 IpLen:20 DgmLen:1500 MF
> > Frag Offset: 0xB9   Frag Size: 0x6E
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > 07/24-23:00:48.135927 209.221.83.7 -> 195.74.192.146
> > ICMP TTL:103 TOS:0x0 ID:24892 IpLen:20 DgmLen:1500 MF
> > Frag Offset: 0x2E4   Frag Size: 0x6E
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> >         fast, around 90megabit and 20000 packets/second
> >
> >         The attack seems to be a mix of UDP and ICMP frags
> >
> > Version:
> > -*> Snort! <*-
> > Version 1.8.1-beta3 (Build 47)
> > By Martin Roesch (roesch at ...402..., www.snort.org)
> >
> > Core dump analysis:
> >
> > #0  0x08078320 in InsertFrag (p=0xbffff3d8, ft=0x86ac830) at
> > spp_frag2.c:535
> > 535                     (ubi_btNodePtr)newfrag, (ubi_btNodePtr*)dup) ==
> > FALSE)
> > (gdb) bt
> > #0  0x08078320 in InsertFrag (p=0xbffff3d8, ft=0x86ac830) at
> > spp_frag2.c:535
> > #1  0x08078137 in Frag2Defrag (p=0xbffff3d8) at spp_frag2.c:430
> > #2  0x0805602a in Preprocess (p=0xbffff3d8) at rules.c:3427
> > #3  0x0804b6ab in ProcessPacket (user=0x0, pkthdr=0xbffff888,
> > pkt=0x80d9f10 "") at snort.c:512
> > #4  0x0807907a in pcap_read_packet ()
> > #5  0x08079e13 in pcap_loop ()
> > #6  0x0804caf4 in InterfaceThread (arg=0x0) at snort.c:1441
> > #7  0x0804b57b in main (argc=8, argv=0xbffffa3c) at snort.c:445
> > #8  0x401aaf11 in __libc_start_main (main=0x804af1c <main>, argc=8,
> > ubp_av=0xbffffa3c, init=0x804a2e0 <_init>,
> >     fini=0x8082fdc <_fini>, rtld_fini=0x4000e214 <_dl_fini>,
> > stack_end=0xbffffa34) at ../sysdeps/generic/libc-start.c:129
> >
> > (gdb) print newfrag
> > $1 = (Frag2Frag *) 0x84384b8
> > (gdb) print *newfrag
> > $2 = {Node = {Link = {0x0, 0x0, 0x0}, gender = 0 '\000', balance = 0
> > '\000'},
> >   data = 0x84384d8
> > "ghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuv"...,
> > size = 1480, offset = 28120}
> > (gdb) print ft
> > $3 = (FragTracker *) 0x86ac830
> > (gdb) print *ft
> > Cannot access memory at address 0x86ac830
> > (gdb) print dup
> > $4 = (Frag2Frag **) 0x421805c8
> >
> > (up.. up..)
> >
> > (gdb) print p
> > $7 = (Packet *) 0xbffff3d8
> > (gdb) print *p
> > $8 = {pkth = 0xbffff888, pkt = 0x80d9f10 "", fddihdr = 0x0, fddisaps =
> > 0x0, fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0,
> >   trh = 0x0, trhllc = 0x0, trhmr = 0x0, sllh = 0x0, eh = 0x80d9f10, vh =
> > 0x0, ehllc = 0x0, ehllcother = 0x0, ah = 0x0,
> >   iph = 0x80d9f1e, orig_iph = 0x0, ip_options_len = 0, ip_options_data =
> > 0x0, tcph = 0x0, orig_tcph = 0x0, tcp_options_len = 0,
> >   tcp_options_data = 0x0, udph = 0x0, orig_udph = 0x0, icmph = 0x0,
> > orig_icmph = 0x0, ext = 0x0,
> >   data = 0x80d9f32
> > "ghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuv"...,
> > dsize = 1480, frag_flag = 1 '\001',
> >   frag_offset = 3515, mf = 1 '\001', df = 0 '\000', rf = 0 '\000', sp = 0,
> > dp = 0, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {
> >     uri = 0x0, length = 0}, ssnptr = 0x0, ip_options = {{code = 0 '\000',
> > len = 0, data = 0x0} <repeats 40 times>},
> >   ip_option_count = 0, ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0
> > '\000', len = 0, data = 0x0} <repeats 40 times>},
> >   tcp_option_count = 0, tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000',
> > packet_flags = 0, wire_packet = 0 '\000'}
> >
> >         regards,
> >         Francois
> > --
> >
> > Francois Baligant            _     Wanadoo Belgium NV/SA,
> > Network Operation Center    ( )       a subsidiary of France Telecom
> >                             /_\/   Lozenberg 22 - B-1932 Zaventem
> > francois at ...565...    (__/\   tel: +32 2 717 17 17
> > FB1-6BONE                          fax: +32 2 717 17 77
> >
> > - "if you hold a unix shell to your ear, do you hear the c?"
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> \
> --
> Martin Roesch
> roesch at ...402...
> http://www.sourcefire.com - http://www.snort.org
>





More information about the Snort-devel mailing list