TUCoPS :: Unix :: Various Flavours :: ciach012.txt

IBM AIX SYN Ping Vulnerabilities


                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

           IBM AIX(r) 'SYN Flood' and 'Ping o' Death' Vulnerabilities

December 10, 1996 19:00 GMT                                        Number H-12
PROBLEM:       Two vulnerabilities have been addressed: (1) The SYN Flood
               Attack, and (2) The Ping o' Death Attacks
PLATFORM:      IBM AIX 3.2.5, 4.1.x, 4.2.x
DAMAGE:        The SYN Flood attack allows the bombarding of a system with
               dozens of falsified connection requests a minute that can
               seriously degrade its ability to give service to legitimate
               connection requests. This is why the attack is said to "deny
               service" to the system's users. Unlike the SYN flood attack,
               the Ping o' Death problem is due to the implementation of
               fragmented packet reassembly, and is thus relatively easy to
SOLUTION:      Install the newly available patches indicated below.
VULNERABILITY  Both vulnerabilities have been widely published on the Internet
ASSESSMENT:    and elsewhere.

[ Start IBM-ERS Advisory ]


                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE

03 December 1996 18:30 GMT                       Number: ERS-SVA-E01-1996:006.1
                      Newly Available Patches for IBM AIX(r)
                `SYN Flood' and `Ping o' Death' Vulnerabilities

  I. Introduction and Background
     A. The SYN Flood Attack
     B. The "Ping o' Death" Attack
 II. AIX Systems Affected
     A. The SYN Flood Attack
     B. The "Ping o' Death" Attack
III. Fixes for IBM AIX
     A. The SYN Flood Attack
     B. The "Ping o' Death" Attack
 IV. Fixes for IBM SNG Firewall
  V. Obtaining Fixes
 VI. Acknowledgements


I. Introduction and Background

In recent weeks, two network protocol security vulnerabilities have received
attention throughout the Internet community.  These vulnerabilities are
described below.

The information in this section is not new; it has been published on the
Internet and elsewhere.  It is repeated here for completeness, and for those
readers who are unfamiliar with either vulnerability.

  A. The SYN Flood Attack

  The first of these vulnerabilities, commonly called the "SYN Flood Attack,"
  was publicized by the New York Times and other news media in September, 1996.
  The exploitation of this vulnerability takes advantage of the Transmission
  Control Protocol (TCP) connection establishment procedure, usually called the
  "three-way handshake."  The three-way handshake works as follows:

    Suppose that Host A wants to connect to Host B:

    1. Host A begins the process of establishing the connection by sending a
       SYN (synchronization) packet to Host B.  This packet requests a new
       connection on a particular port, and begins the process of negotiating
       connection details such as packet sequence numbers.

    2. Host B responds by sending a SYN/ACK (synchronization/acknowledgement)
       packet back to A.  This packet acknowledges Host A's packet, and goes
       one step further in negotiating the connection details.

    3. Host A sends a final ACK (acknowledgement) packet back to Host B; this
       acknowledges Host B's packet, finalizes the negotiations of connection
       details, and the connection is established.

  The three-way handshake is designed to work properly even if one of the
  packets gets lost or duplicated, which can happen from time to time (as a
  part of normal operations).

  During the time between steps 2 and 3, Host B must keep track of the pending
  new connection by storing the details of the negotiation in an in-memory data
  structure.  This data structure is usually of finite size, which means that
  too many pending connections at one time can cause it to overflow.  When this
  happens, Host B will be unable to accept any new connections at all until
  some of the pending connections have been fully established (or have timed
  out), freeing space in the data structure.

  The basic SYN flood attack works by sending a high volume of SYN packets to
  the target host, and then never responding to the SYN/ACK packets that are
  returned, thus filling up the data structure(s) used by the target host to
  keep track of pending connections.  Although pending connections will time
  out eventually and free up space in the data structure(s), the sender can
  simply transmit additional SYN packets, faster than they can expire.

  In another possible scenario, the sender takes advantage of the fact that
  since he is ignoring the target host's SYN/ACK packets, he doesn't even need
  to receive them.  This allows him to hide his location by using a forged
  address in the SYN packets his system sends -- he can use the real address of
  another system (thus misleading the target), or he can use a non-existent
  address (and simply hiding).  At least one of the attack programs currently
  in use on the Internet makes up a new, random source address for each packet
  it sends.

  For more complete information on the SYN Flood attack, see


  B. The "Ping o' Death" Attack

  The second vulnerability, which has been dubbed the "Ping o' Death," takes
  advantage of the ability of the Internet Protocol (the protocol on top of
  which all other Internet protocols are built) to fragment packets.  This
  works as follows:

  The specification for the Internet Protocol (IP) says that a packet may be up
  to 65,535 (2^16 - 1) bytes in length, including the packet header.  But the
  specifications for most network technologies in use today do not allow
  packets that big.  For example, the maximum Ethernet packet size is 1,500

  To allow large packets to be sent, IP allows the sender to break a large
  packet up into several smaller packets.  Each fragment packet contains an
  offset value that says where in the larger packet this fragment belongs --
  the first fragment will have an offset of zero, the second fragment will have
  an offset equal to the length of the first fragment, and so on.  Note that
  this makes it possible to combine a valid offset with a suitable fragment
  size such that (offset + size) is greater than 65,535, the maximum size of a

  The problem arises in the way packet fragmentation is implemented by most
  systems.  Typically, they do not attempt to process a packet until all the
  fragments have been received and an attempt has been made to reassemble them
  into one big packet.  This opens these systems to the possibility for
  overflow of 16-bit internal variables, resulting in system crashes, protocol
  hangs, and other problems.

  This problem was first discovered in the context of sending ICMP ECHO REQUEST
  packets, commonly called "ping" packets after the application program used to
  send them.  Most implementations of "ping" will not allow improperly-sized
  packets to be sent, although there are several exceptions to this (and many
  systems can be modified to allow it, in any case).  Because sending a single,
  large (65,510 bytes) "ping" packet to many systems will cause them to hang or
  even crash, this problem was quickly dubbed the "Ping o' Death."

  For complete information on the Ping o' Death, see Mike Bremford's
  compilation of specific software vulnerabilities:


II. AIX Systems Affected

  A. The SYN Flood Attack

  Any system that is connected to a TCP/IP-based network (Internet or intranet)
  and offers TCP-based services is vulnerable to the SYN flood attack.  The
  attack does not distinguish between operating systems, software version
  levels, or hardware platforms; all systems are vulnerable.

  Because this attack takes advantage of the TCP protocol itself, it cannot be
  eliminated without changing the protocol.  However, it is possible to make
  changes to the implementation of the connection establishment procedure that
  can mitigate the problems caused by the attack, and several vendors have
  either made such changes or are in the process of making them.

  B. The "Ping o' Death" Attack
  Not all operating systems are vulnerable to this problem.  However, most of
  the popular operating systems in use today are vulnerable, to some degree,
  under certain circumstances.  This problem is not limited to the UNIX system;
  it occurs in many personal computer operating systems, some midrange and
  mainframe systems, and several more specialized operating systems (terminal
  servers, network printers).

  Unlike the SYN flood attack, this problem is due to the implementation of
  fragmented packet reassembly, and is thus relatively easy to fix.  Several
  vendors have either made patches for this problem available, or are in the
  process of doing so.

III. Fixes for IBM AIX

IBM has released AIX operating system fixes for both the SYN flood and "Ping
o' Death" vulnerabilities.

NOTE: If you are using the IBM Internet Connection Secured Network Gateway
      (SNG) firewall software, you must also apply the fixes listed in the next

  A. The SYN Flood Attack

  The following Automated Program Analysis Reports (APARs) for IBM AIX are now
  available to address the SYN flood attack:

          AIX 3.2.5
              No APAR available; upgrade to AIX 4.x recommended

          AIX 4.1.x
	      APAR - IX62476

          AIX 4.2.x
	      APAR - IX62428

  B. The "Ping o' Death" Attack

  The following Automated Program Analysis Reports (APARs) for IBM AIX are now
  available to address the "Ping o' Death" Attack:

          AIX 3.2.5
	      APAR - IX59644

          AIX 4.1.x
	      APAR - IX59453

          AIX 4.2.x
	      APAR - IX61858

If you are running AIX 4.x, you can determine whether or not you have these
fixes installed on your system by issuing the command

	instfix -ik APAR_ID

where "APAR_ID" is the applicable "IXnnnnn" number from the list above.

IV. Fixes for IBM SNG Firewall

The following Automated Program Analysis Reports (APARs) for the IBM Internet
Connection Secured Network Gateway firewall product are now available to
address the SYN flood and "Ping o' Death" attacks:

NOTE: The fixes in this section should ONLY be applied to systems running the
      IBM Internet Connection Secured Network Gateway (SNG) firewall software.
      They should be applied IN ADDITION TO the IBM AIX fixes listed in the
      previous section.
          IBM SNG V2.1
              APAR - IR33376 PTF UR46673

	  IBM SNG V2.2

	      APAR - IR33484 PTF UR46641
V. Obtaining Fixes

IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center.  For more information on
FixDist, and to obtain fixes via the Internet, please reference


or send electronic mail to "aixserv@austin.ibm.com" with the word "FixDist" in
the "Subject:" line.

VI. Acknowledgements

AIX is a registered trademark of International Business Machines Corporation.


[ End IBM-ERS Advisory ]

CIAC wishes to acknowledge the contributions of IBM-ERS for the
information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

H-01: Vulnerabilities in bash
H-02: SUN's TCP SYN Flooding Solutions
H-03: HP-UX_suid_Vulnerabilities
H-04: HP-UX  Ping Vulnerability
H-05: Internet Hoaxes
H-07: Sendmail SIGHUP-smtpd Vulnerability
H-08: lpr Buffer Overrun Vulnerability
H-09: HP 9000 Access Vulnerability
H-10: HP-UX Security Vulnerabilities (passwd, fpkg2swpkg, newgrp)
H-11: sendmail Group Permissions Vulnerability

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released,
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH