From owner-freebsd-security Fri Jan 21 14:51:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from tetron02.tetronsoftware.com (ftp.tetronsoftware.com [208.236.46.106]) by hub.freebsd.org (Postfix) with ESMTP id 2DCBD14D14 for ; Fri, 21 Jan 2000 14:51:41 -0800 (PST) (envelope-from zeus@tetronsoftware.com) Received: from tetron02.tetronsoftware.com (tetron02.tetronsoftware.com [208.236.46.106]) by tetron02.tetronsoftware.com (8.9.3/8.9.3) with ESMTP id QAA04476; Fri, 21 Jan 2000 16:55:02 -0600 (CST) (envelope-from zeus@tetronsoftware.com) Date: Fri, 21 Jan 2000 16:55:02 -0600 (CST) From: Gene Harris To: Wes Peters Cc: Brett Glass , freebsd-security@freebsd.org Subject: Re: Some observations on stream.c and streamnt.c In-Reply-To: <3888DF96.33157880@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes, SP5 and SP6 made some pretty big revisions to the TCP stack. That's why I was meticulous on reporting SP6a. It does make a difference. I am now sitting here with the machine hooked to a 100 MB network with the attacking machine on the other side of a T3 at telepath.com. We cannot see any affect on the NT Server, running IIS and SQL Server as a custom web provider. This is a production machine. *==============================================* *Gene Harris http://www.tetronsoftware.com* *FreeBSD Novice * *All ORBS.org SMTP connections are denied! * *==============================================* On Fri, 21 Jan 2000, Wes Peters wrote: > Brett Glass wrote: > > > > At 02:18 PM 1/21/2000 , Gene Harris wrote: > > > > >After eight hours of testing, in which I have been > > >bombarding the NT 4.0 SP6a Server, the CPU usage on an > > >unloaded machine jumped to 27%. However, when I started up > > >Oracle 8.05 and ran a rather lengthy query against a 400MB > > >database, no distinguishable differences exist in the query > > >time between a machine under attack and one not under > > >attack. > > > > A poor test, IMHO. It's disk-intensive and CPU-intensive, > > but not network-intensive. Also, other conditions can > > affect the results. Were the machines on a network with > > a live gateway router? Remember, traffic to, from, and > > through the router is significant, since one of the > > effects of the exploit is to cause a storm of packets > > on the local LAN. > > > > I've made an NT/IIS server virtually inaccessible using > > the same exploit. > > We have NT 4.0 Server (SP4) running on a P5/200 here, 128 MB RAM, EEPro > 10/100. On a 100Base-TX HDX isolated LAN, hitting it with the packets/ > second set to 1000 resulted in poor system performance; changing that to > 10.000 resulted in the machine almost immediately crashing all the way > to the BIOS boot. > > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > wes@softweyr.com http://softweyr.com/ > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message