[Snort-users] Re: OpenBSD IPsec DoS signature
vision at ...4...
Fri Oct 6 22:24:05 EDT 2000
This vulnerability is at the IP layer, just a floating IP header with a
zero-length payload where the protocol type is set to 50 or 51 (esp or ah)
This vulnerability is at the IP layer so there aren't really "ports"
Here are a couple of the infamous packets as they show up in snort:
10/06-18:40:12.230966 22.214.171.124:0 -> 126.96.36.199:0
IPV6-CRYPT TTL:23 TOS:0x10 ID:23
10/06-18:40:12.231070 188.8.131.52:0 -> 184.108.40.206:0
IPV6-AUTH TTL:23 TOS:0x10 ID:23
or according to `tcpdump -n -vv`:
18:41:49.627493 220.127.116.11 > 18.104.22.168: [|ESP] [tos 0x10] (ttl 23, id 23)
18:41:49.628122 22.214.171.124 > 126.96.36.199: [|AH] ip-proto-0 -65535 [tos 0x10] (ttl 23, id 23)
These are from my own code which sends similar packets as nmap -sO...
If Snort took numeric arguments as alternates to the "TCP/UDP/ICMP" field,
we could have something like:
alert 50 $EXTERNAL any -> $INTERNAL any (msg: "protocol-50_ESP_empty_payload"; dsize: 0;)
alert 51 $EXTERNAL any -> $INTERNAL any (msg: "protocol-51_AH_empty_payload"; dsize: 0;)
By the way, has anyone released demonstration exploit code for openbsd
photurisd or talkd? (claimed vulnerable at securityfocus) If so, I would
certainly love to see them. :)
On Fri, 6 Oct 2000, Theo de Raadt wrote:
> >A while back I tested out a OpenBSD IPsec DoS for Matt Franz
> >and he did a bugtraq advisory for it a week back or so. Testing it
> >was kinda unpleasant... soo...
> >It was quickly fixed by Theo (<1 day on a weekend nonetheless) but I
> I did not write the fix. angelos at ...590... did.
> >think that it exists in the stock 2.7 systems with IPsec enabled so we should
> >have a sig for it... (I'm purposely avoiding the "silent fix" controversy that
> >was raised by K2 in bugtraq.... But Theo's somewhat irritated "elite" post had me LOL)
> >I wanted to write a sig for it, but testing out which port causes the crash is
> >err... painful. The culprit is an IP packet with an empty payload, has anyone
> >nailed down the port to narrower (pref single) value/range? My first guess
> >is isakmp/500 but I happen to use OpenBSD for the boxes I like to keep
> >running and count on and I'm not up to more syscrashes just yet...
> It is very unlikely to be isakmpd's port.
> >Maybe if Theo is still on-line, roaming the streets of Stockholm guerrilla
> >surfing on open wavelan ports he finds, he could enlighten us a little about his
> >fix... :-) Or if someone else knows or can test with nmap -sO the culprit
> I am still doing that, but unfortunately I am running out of battery
> since I didn't buy a power adapter yet. There's very little wavelan
> in this part of downtown, but for some reason I get it loud and clear
> if I place my laptop at just a certain angle on the hotel room
> bed... can't ask for better, I suppose.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users