Supongo que muchos lo habreis leido, pero ahi va... "The recent release of the Linux 2.2.4 kernel fixed a remote denial of service problem in the IP fragment handling code. If you are running a Linux kernel between 2.1.89 and 2.2.3, it would probably be a good idea to get the latest version. In case that isn't feasible for you, I've included a patch in this post. The impact of this problem is that a remote attacker can effectively disable a target's IP connectivity. However, for the attack to succeed, the attacker will have to deliver several thousand packets to the target, which can take up to several minutes. A quick exploit and the patch are appended to the end of this post."
(evidentemente no incluyo el exploit) "(...) The other component of the problem is that the call to allocate a new entry in the routing cache does a check to see if the hashtable that comprises the cache is at a saturated state. If it is, it proceeds to do a garbage collection. If the number of entries in the cache, after this garbage collection, is still higher than the threshold, then dst_alloc() will fail. So, if we generate enough stranded entries in the routing cache (4096 in 2.2.3) via our malicious frags, then all further calls to dst_alloc will fail." ------------------------------------------------------------------ Jose Mari Mor Fabregat Debian Hamm [EMAIL PROTECTED] 2.0.36
