2

I'd like to ask a question about the IPv4 fragment manager in the Linux kernel (net/ipv4/inet_fragment.c). I don't understand why the structure inet_frags (include/net/inet_frag.h) has got an "rnd" field, which is obviously filled in with random numbers. I mean, I don't expect my IPv4 stack to reassemble my packets in a random order ^^.

Could you help me plz? Thx in advance. (Kernel 3.4.4)

tvuillemin
  • 1,148
  • 3
  • 10
  • 25

1 Answers1

6

The implementation uses a hash to store IP datagram fragments. Hash tables with a fixed hash function are prone to denial of service hash collision attack. So, they add a random seed to each hash function to protect from the attack.

See http://www.iss.net/security_center/reference/vuln/linux-kernel-packets-dos.htm :

The Linux Kernel is vulnerable to a denial of service, caused by improper handling of TCP/IP fragment reassembly. A remote attacker could send specially-crafted packets that would cause a large number of hash table collisions, which would consume all available CPU resources.

Maxim Egorushkin
  • 131,725
  • 17
  • 180
  • 271
  • In addition: Random numbers are used as starting points. The initial TCP sequence numbers are chosen randomly to prevent [Connection hijacking](http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_hijacking) for example. – Sander Steffann Aug 29 '12 at 10:50