grandeduc - Fotolia

FragmentSmack: How is this denial-of-service exploited?

FragmentSmack, a DDoS vulnerability first discovered in Linux, affects Windows as well as nearly 90 Cisco products. Discover how it can be exploited with Judith Myerson.

A distributed denial-of-service vulnerability called FragmentSmack enables an unauthenticated remote attacker to disable servers with a stream of fragmented IP packets that activate the vulnerability on affected systems. First discovered in Linux, and now also found in Windows, FragmentSmack affects many products, including nearly 90 from Cisco. How can this vulnerability be exploited, and how big is the threat?

FragmentSmack is a vulnerability in the IP stack that can be used to execute a distributed denial-of-service attack. The vulnerability affects Linux kernel version 3.9 or later, and it was discovered in some Cisco products by the Vulnerability Coordination team of the National Cyber Security Centre of Finland and the CERT Coordination Center. The flaw is caused by inefficient algorithms used in IP implementations to reassemble fragmented IPv4 and IPv6 packets.

An attacker using the FragmentSmack vulnerability could exploit it remotely by continuously sending crafted packets -- that appear to be fragments of larger packets that need to be reassembled -- to cause the system to become unresponsive, as 100% of the CPU cores will be in use.

In one scenario, an attacker could send a stream of 8-byte sized IP fragments, each starting with randomly chosen offset values, to a server. The queue of malformed IP fragments waiting for reassembly -- which will never happen because the fragments are not part of any legitimate packets -- increases in size until all the CPU core resources are consumed, leaving no room for other tasks the system needs to perform.

The attacker doesn't specify what core the malformed packets are sent to and the Linux kernel automatically distributes the reassembly to different cores. While such an attack could take a server down, once the flow of malicious fragments stops, the targeted server can resume its normal function.

Cisco's vulnerable listed products include network and content security devices, voice and unified communications devices, and telepresence and transcending devices.

Likewise, this threat has extended to Microsoft and Red Hat, and the affected Microsoft's Window systems include versions 7, 8.1 and 10, as well as all the Windows Server versions. Windows 10 -- 64 bit -- in particular, features an option for Windows Subsystem for Linux that is vulnerable. Turning off this option doesn't prevent the attacker from exploiting the vulnerability, however.

Vulnerable Red Hat products include Virtualization 4, Enterprise MRG, Enterprise Linux Atomic Host and Enterprise Linux versions 6, 7, Real Time 7, 7 for ARM64 and 7 for Power.

Ask the expert:               
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Network security

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close