From owner-freebsd-security Fri Jan 21 13:38:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from tetron02.tetronsoftware.com (ftp.tetronsoftware.com [208.236.46.106]) by hub.freebsd.org (Postfix) with ESMTP id 0E67F154B5 for ; Fri, 21 Jan 2000 13:37:48 -0800 (PST) (envelope-from zeus@tetronsoftware.com) Received: from tetron02.tetronsoftware.com (tetron02.tetronsoftware.com [208.236.46.106]) by tetron02.tetronsoftware.com (8.9.3/8.9.3) with ESMTP id PAA04199; Fri, 21 Jan 2000 15:41:13 -0600 (CST) (envelope-from zeus@tetronsoftware.com) Date: Fri, 21 Jan 2000 15:41:13 -0600 (CST) From: Gene Harris To: Brett Glass Cc: freebsd-security@freebsd.org Subject: Re: Some observations on stream.c and streamnt.c In-Reply-To: <4.2.2.20000121141918.01a54ef0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > A poor test, IMHO. It's disk-intensive and CPU-intensive, > but not network-intensive. Also, other conditions can True, but again, putting together a test on short notice, one uses the tools at hand. ;-) > affect the results. Were the machines on a network with > a live gateway router? Remember, traffic to, from, and > through the router is significant, since one of the > effects of the exploit is to cause a storm of packets > on the local LAN. Yes, there is a gateway. No packet storm was noticed between any segments. > > I've made an NT/IIS server virtually inaccessible using > the same exploit. > Hmmm... We need to compare detailed notes, because I saw no affect what-so-ever. I also have the ability to put the server on the inet for you to test against, if you would like. However, I see that we both ran the same "bad" test. *grin* > >In the case of Windows 95/98, several more complex > >interactions occured, and my FreeBSD machine began to post > >jess: No more buffer errors. I tested the Win98/95 machines > >against read/writes against the IDE and reads against the > >DVD subsystems and no apparent performance loss was noticed > >when the machines were under attack. (I used the movie "Gone > >With the Wind" as a test on the DVD drive.) > > Again, a bad test -- I/O and CPU intensive, but not network- > intensive. > > The same seems to be true of the Linux and BSD tests you > describe. Again, there will be better tests, but the attack is supposed to take a long path thru the kernel. It ultimately kills the machine (supposedly) because it overwhelms the target's ability to process packets. Further loading of the CPU only exascerbates the problem. I firmly disagree with your observation on NT. Gene To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message