Date: Tue, 25 Jul 2000 18:18:36 -0700 From: Tim Yardley <yardley@uiuc.edu> To: Don Lewis <Don.Lewis@tsc.tdk.com>, "Maksimov Maksim" <maksim@tts.tomsk.su>, <freebsd-security@FreeBSD.ORG> Subject: Re: How defend from stream2.c attack? Message-ID: <4.3.2.7.2.20000725181153.0218d700@students.uiuc.edu> In-Reply-To: <200006220024.RAA05975@salsa.gv.tsc.tdk.com> References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su>
next in thread | previous in thread | raw e-mail | index | archive | help
>This version of FreeBSD should be fairly immune to the standard stream2.c
>attack (even without ICMP_BANDLIM, which I would recommend using). It
>seems the biggest part of the problem was caused by the incoming packets
>which had IP addresses in the multicast range. We tweaked tcp_input()
>so that these get ignored. We didn't do anything about broadcast source
>addresses, so if you are attacked by a variant of stream2 that uses these
>you could still have problems.
Just to point it out, the multicast issue was brought up by me in spank.c a
long time ago.
void
usage (char *progname)
{
printf ("usage: %s [-lmnorsw] <dst> <ports>\n", progname);
printf ("\t-l\t- local multicast havoc\n");
printf ("\t-m\t- multicast variation attack\n");
printf ("\t-n\t- multicast variation attack with random args\n");
printf ("\t-o\t- original raped attack\n");
printf ("\t-r\t- pure random attack on dst\n");
printf ("\t-s\t- original stream attack\n");
printf ("\t-w\t- whocares attack (random dest w/ variable multicast)\n");
printf ("\t<dst>\t- destination host (not needed for -l or -w)\n");
printf ("\t<ports>\t- ports to flood\n\n");
exit (1);
}
the different variations were basically "wreaking havok in semi-random
manners". Each attack had a facet that was exploited directly, or in the
case of the pure random, by chance.
>I would recommend adding packet filter rules that block incoming packets
>with IP broadcast addresses, both 255.255.255.255, and the broadcast
>address(es) of your local network(s).
And block multicast if you arent using it in your lan. Keep in mind that
some switchs that are not multicast aware will treat the packets as
broadcasts and create a storm. Very bad.
/tmy
-- Diving into infinity my consciousness expands in inverse
proportion to my distance from singularity
+-------- ------- ------ ----- ---- --- -- --- ------ ------- --------
---------------+
| Tim Yardley (yardley@uiuc.edu)
| http://www.students.uiuc.edu/~yardley/
+-------- ------- ------ ----- ---- --- -- --- ------ ------- --------
---------------+
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20000725181153.0218d700>