Fragmentation Overlap Attacks: Teardrop, Bonk, Boink And Nestea; The Land And Latierra Attacks; The Winnuke Attack - D-Link NetDefend DFL-210 User Manual

6.6.4. Fragmentation overlap attacks:
Teardrop, Bonk, Boink and Nestea
to run "ping -l 65510 1.2.3.4" on a Windows 95 system where 1.2.3.4 is the IP address of the
intended victim. "Jolt" is simply a purpose-written program for generating such packets on operating
systems whose ping commands refuse to generate oversized packets.
The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes, which
is the highest number that a 16-bit integer can store. When the value overflows, it jumps back to a
very small number. What happens then is a function of how well the victim's IP stack is
implemented.
NetDefendOS will never allow fragments through that would result in the total size exceeding
65535 bytes. In addition to that, there are configurable limits for IP packet sizes in the "Advanced
Settings" section.
Ping of death will show up in NetDefendOS logs as drops with the rule name set to
"LogOversizedPackets". The sender IP address may be spoofed.
6.6.4. Fragmentation overlap attacks: Teardrop, Bonk,
Boink and Nestea
Teardrop and its followers are fragment overlap attack. Many IP stacks have shown erratic behavior
(excessive resource exhaustion or crashes) when exposed to overlapping fragments.
NetDefendOS protects fully against fragmentation overlap attacks. Overlapping fragments are never
allowed to pass through the system.
Teardrop and its followers will show up in NetDefendOS logs as drops with the rule name set to
"IllegalFrags". The sender IP address may be spoofed.

6.6.5. The Land and LaTierra attacks

The Land and LaTierra attacks works by sending a packet to a victim and making the victim
respond back to itself, which in turn generates yet another response to itself, etc. This will either bog
the victim's machine down, or make it crash.
The attack is accomplished by using the victim's IP address in the source field of an IP packet as
well as in the destination field.
NetDefendOS protects against this attack by applying IP spoofing protection to all packets. In its
default configuration, it will simply compare arriving packets to the contents of the routing table; if
a packet arrives on an interface that is different from the interface where the system expects the
source to be, the packet will be dropped.
Land and LaTierra attacks will show up in NetDefendOS logs as drops with the rule name set to
"AutoAccess" by default, or, if you have written custom Access rules, the name of the Access rule
that dropped the packet. The sender IP address is of no interest here since it is always the same as
the destination IP address.

6.6.6. The WinNuke attack

The WinNuke attack works by connecting to a TCP service that does not have handlers for
"out-of-band" data (TCP segments with the URG bit set), but still accepts such data. This will
usually put the service in a tight loop that consumes all available CPU time.
One such service was the NetBIOS over TCP/IP service on Windows machines, which gave the
attack its name.
NetDefendOS protects against this in two ways:
• With a careful inbound policy, the attack surface is greatly reduced. Only exposed services could
possibly become victims to the attack, and public services tend to be more well-written than
199
Chapter 6. Security Mechanisms