From owner-freebsd-security Fri Jan 21 0:28:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from clapton.atgsystems.com (clapton.atgsystems.com [207.122.162.32]) by hub.freebsd.org (Postfix) with ESMTP id 7833415198 for ; Fri, 21 Jan 2000 00:28:11 -0800 (PST) (envelope-from bobm@atgsystems.com) Received: from madman (root@joplin.atgsystems.com [207.122.162.33]) by clapton.atgsystems.com (8.8.8/8.8.8) with SMTP id CAA07010 for ; Fri, 21 Jan 2000 02:26:26 -0600 (CST) (envelope-from bobm@atgsystems.com) Message-ID: <000101bf63e9$76352f30$01000000@madman> From: "Bob Madden" To: "FreeBSD-Security" Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? Date: Fri, 21 Jan 2000 02:28:10 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3612.1700 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm grateful for the efforts put forth in finding a reliable means of prevention to this attack. I have seen it's effects. For the benefit of those working on the solution, I wanted to share what I see when the attack is in full swing: Running FreeBSD 3.4-STABLE using ipfw the kernel was compiled with: maxusers 390 options NMBCLUSTERS=10000 options NBUF=8192 Here is the log output: Jan 19 22:27:05 Irc /kernel: icmp-response bandwidth limit 10342/100 pps Jan 19 22:27:06 Irc /kernel: icmp-response bandwidth limit 9762/100 pps Jan 19 22:27:07 Irc /kernel: icmp-response bandwidth limit 10990/100 pps Jan 19 22:27:08 Irc /kernel: icmp-response bandwidth limit 10053/100 pps Jan 19 22:27:09 Irc /kernel: icmp-response bandwidth limit 10748/100 pps Jan 19 22:27:11 Irc /kernel: icmp-response bandwidth limit 11634/100 pps Jan 19 22:27:12 Irc /kernel: icmp-response bandwidth limit 10811/100 pps Jan 19 22:27:13 Irc /kernel: icmp-response bandwidth limit 10972/100 pps Jan 19 22:27:14 Irc /kernel: icmp-response bandwidth limit 10325/100 pps Jan 19 22:27:15 Irc /kernel: icmp-response bandwidth limit 10538/100 pps Jan 19 22:27:16 Irc /kernel: icmp-response bandwidth limit 11204/100 pps Jan 19 22:27:17 Irc /kernel: icmp-response bandwidth limit 10350/100 pps Jan 19 22:27:17 Irc /kernel: Out of mbuf clusters - adjust NMBCLUSTERS or increa se maxusers! BANG!!! Reboot! If you need more specifics, you can email me directly. Bob Madden >,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,< --This Message Composed By: Bob Madden -- bobm@ATGSYSTEMS.COM Sys Admin /Network Engineer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message