From owner-freebsd-security Tue Jul 25 18:15:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from listproc.corp.loudcloud.com (olly.loudcloud.com [208.50.142.100]) by hub.freebsd.org (Postfix) with ESMTP id 5ACDD37BD0F for ; Tue, 25 Jul 2000 18:15:55 -0700 (PDT) (envelope-from yardley@uiuc.edu) Received: from LIQUID-TP.uiuc.edu (liquid.geek.loudcloud.com [192.168.0.24]) by listproc.corp.loudcloud.com (8.10.1/8.10.1) with ESMTP id e6Q1GeS19564; Tue, 25 Jul 2000 18:16:40 -0700 (PDT) Message-Id: <4.3.2.7.2.20000725181153.0218d700@students.uiuc.edu> X-Sender: yardley@students.uiuc.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 25 Jul 2000 18:18:36 -0700 To: Don Lewis , "Maksimov Maksim" , From: Tim Yardley Subject: Re: How defend from stream2.c attack? In-Reply-To: <200006220024.RAA05975@salsa.gv.tsc.tdk.com> References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >This version of FreeBSD should be fairly immune to the standard stream2.c >attack (even without ICMP_BANDLIM, which I would recommend using). It >seems the biggest part of the problem was caused by the incoming packets >which had IP addresses in the multicast range. We tweaked tcp_input() >so that these get ignored. We didn't do anything about broadcast source >addresses, so if you are attacked by a variant of stream2 that uses these >you could still have problems. Just to point it out, the multicast issue was brought up by me in spank.c a long time ago. void usage (char *progname) { printf ("usage: %s [-lmnorsw] \n", progname); printf ("\t-l\t- local multicast havoc\n"); printf ("\t-m\t- multicast variation attack\n"); printf ("\t-n\t- multicast variation attack with random args\n"); printf ("\t-o\t- original raped attack\n"); printf ("\t-r\t- pure random attack on dst\n"); printf ("\t-s\t- original stream attack\n"); printf ("\t-w\t- whocares attack (random dest w/ variable multicast)\n"); printf ("\t\t- destination host (not needed for -l or -w)\n"); printf ("\t\t- ports to flood\n\n"); exit (1); } the different variations were basically "wreaking havok in semi-random manners". Each attack had a facet that was exploited directly, or in the case of the pure random, by chance. >I would recommend adding packet filter rules that block incoming packets >with IP broadcast addresses, both 255.255.255.255, and the broadcast >address(es) of your local network(s). And block multicast if you arent using it in your lan. Keep in mind that some switchs that are not multicast aware will treat the packets as broadcasts and create a storm. Very bad. /tmy -- Diving into infinity my consciousness expands in inverse proportion to my distance from singularity +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- ---------------+ | Tim Yardley (yardley@uiuc.edu) | http://www.students.uiuc.edu/~yardley/ +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- ---------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message