From owner-freebsd-security  Mon Jan 24  9:31:59 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248])
	by hub.freebsd.org (Postfix) with ESMTP id 229161591A
	for <freebsd-security@freebsd.org>; Mon, 24 Jan 2000 09:31:56 -0800 (PST)
	(envelope-from wes@softweyr.com)
Received: from mailhub.xylan.com (mailhub [198.206.181.70])
	by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id JAA08236;
	Mon, 24 Jan 2000 09:30:03 -0800 (PST)
X-Origination-Site: <ind.alcatel.com>
Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB]))
	id JAA06012; Mon, 24 Jan 2000 09:30:03 -0800
Received: from softweyr.com (dyn0.utah.xylan.com [198.206.184.236])
	by omni.xylan.com (8.9.3+Sun/8.9.1 (Xylan engr [SPOOL])) with ESMTP id JAA18440;
	Mon, 24 Jan 2000 09:28:41 -0800 (PST)
Message-ID: <388C8D31.899AF4FC@softweyr.com>
Date: Mon, 24 Jan 2000 10:34:41 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Don Lewis <Don.Lewis@tsc.tdk.com>
Cc: Richard Steenbergen <ras@above.net>,
	Alfred Perlstein <bright@wintelcom.net>, freebsd-security@freebsd.org
Subject: Re: stream.c
References: <20000123102829.C18349@above.net> <20000123083234.N26520@fw.wintelcom.net> <20000123112220.E18349@above.net> <200001240738.XAA21595@salsa.gv.tsc.tdk.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Don Lewis wrote:
> 
> On Jan 23, 11:22am, Richard Steenbergen wrote:
> }
> } The checksums are a pretty small amount of the CPU time burned. The RST
> } generation is by far the worst, the PCB hash lookups are 2nd after that.
> 
> Any idea why RST generation is so bad?

Because the stream program sends packets with multicast source addresses, so
the RSTs get returned to multicast addresses.  Worse yet, we don't have an
existing route for these bogus multicast addresses, so IP happily floods them
on all interfaces, making the attack a packet exploder.

Warner has a handle on this, why don't we wait for his SA and patch?

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message