From owner-freebsd-security  Fri Jan 21 14:34:20 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248])
	by hub.freebsd.org (Postfix) with ESMTP id 3F1EA154D3
	for <freebsd-security@freebsd.org>; Fri, 21 Jan 2000 14:33:58 -0800 (PST)
	(envelope-from wes@softweyr.com)
Received: from mailhub.xylan.com (mailhub [198.206.181.70])
	by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id OAA20504;
	Fri, 21 Jan 2000 14:32:47 -0800 (PST)
X-Origination-Site: <ind.alcatel.com>
Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB]))
	id OAA08568; Fri, 21 Jan 2000 14:32:47 -0800
Received: from softweyr.com (dyn1.utah.xylan.com [198.206.184.237])
	by omni.xylan.com (8.9.3+Sun/8.9.1 (Xylan engr [SPOOL])) with ESMTP id OAA04026;
	Fri, 21 Jan 2000 14:31:26 -0800 (PST)
Message-ID: <3888DF96.33157880@softweyr.com>
Date: Fri, 21 Jan 2000 15:37:10 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Brett Glass <brett@lariat.org>
Cc: Gene Harris <zeus@tetronsoftware.com>,
	freebsd-security@freebsd.org
Subject: Re: Some observations on stream.c and streamnt.c
References: <4.2.2.20000120194543.019a8d50@localhost> <4.2.2.20000121141918.01a54ef0@localhost>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Brett Glass wrote:
> 
> At 02:18 PM 1/21/2000 , Gene Harris wrote:
> 
> >After eight hours of testing, in which I have been
> >bombarding the NT 4.0 SP6a Server, the CPU usage on an
> >unloaded machine jumped to 27%.  However, when I started up
> >Oracle 8.05 and ran a rather lengthy query against a 400MB
> >database, no distinguishable differences exist in the query
> >time between a machine under attack and one not under
> >attack.
> 
> A poor test, IMHO. It's disk-intensive and CPU-intensive,
> but not network-intensive. Also, other conditions can
> affect the results. Were the machines on a network with
> a live gateway router? Remember, traffic to, from, and
> through the router is significant, since one of the
> effects of the exploit is to cause a storm of packets
> on the local LAN.
> 
> I've made an NT/IIS server virtually inaccessible using
> the same exploit.

We have NT 4.0 Server (SP4) running on a P5/200 here, 128 MB RAM, EEPro
10/100.  On a 100Base-TX HDX isolated LAN, hitting it with the packets/
second set to 1000 resulted in poor system performance; changing that to 
10.000 resulted in the machine almost immediately crashing all the way 
to the BIOS boot.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message