From owner-freebsd-questions Tue Dec 4 11:56: 6 2001 Delivered-To: freebsd-questions@freebsd.org Received: from services.webwarrior.net (overlord-host99.dsl.visi.com [209.98.86.99]) by hub.freebsd.org (Postfix) with ESMTP id E199A37B419 for ; Tue, 4 Dec 2001 11:56:00 -0800 (PST) Received: from twincat.vladsempire.net (hutch-362.hutchtel.net [206.10.68.62]) by services.webwarrior.net (Postfix) with ESMTP id 3E66331C for ; Tue, 4 Dec 2001 13:55:56 -0600 (CST) Received: by twincat.vladsempire.net (Postfix, from userid 1001) id 25696385E; Tue, 4 Dec 2001 13:56:03 +0000 (GMT) Date: Tue, 4 Dec 2001 13:56:03 +0000 From: Josh Paetzel To: "Riley J. McIntire" Cc: Stephen Hovey , FreeBSD Questions Subject: Re: icmp dos attack? sshd core dump Message-ID: <20011204135602.B446@twincat.vladsempire.net> Mail-Followup-To: "Riley J. McIntire" , Stephen Hovey , FreeBSD Questions References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rileyjmc@pacbell.net on Tue, Dec 04, 2001 at 10:56:09AM -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > The "OpenSSH UseLogin directive permits privilege escalation advisory", > if that's what you're referring to, doesn't seem to apply. It's a hole > for an otherwise authorized user (hmmm) and only with "UseLogin" > enabled, which it isn't. > > Riley Correct, this is irrelevent. > > On Tue, 4 Dec 2001, Riley J. McIntire wrote: > > > This just showed up in a security check output log: > > > > icmp-response bandwidth limit 240/200 pps > > > > icmp-response bandwidth limit 213/200 pps > > > snip pages of this > > > then > > > > pid 49374 (sshd), uid 0: exited on signal 11 (core dumped) > > > > pid 49375 (sshd), uid 0: exited on signal 11 (core dumped) > > > snip > > > > pid 49391 (sshd), uid 0: exited on signal 11 (core dumped) > > > > pid 49394 (sshd), uid 0: exited on signal 11 (core dumped) > > > > pid 49396 (sshd), uid 0: exited on signal 10 (core dumped) > > > > pid 49397 (sshd), uid 0: exited on signal 10 (core dumped) > > > snip > > > > pid 49465 (sshd), uid 0: exited on signal 10 (core dumped) > > > > pid 49466 (sshd), uid 0: exited on signal 10 (core dumped) > > > > > > Note the change from a sig 11 to 10. > > > > > > > > > A DOS attack? The machine is up, I can connect via ssh, > > and I'm a bit > > > at a loss of what, if anything, to do about this? > > > > > > Thanks, > > > > > > Riley What version of FreeBSD are you running? IIRC, there was a remote hole in sshd on 4.3-RELEASE. Also, what is restarting sshd? You have some sort of cron job running or something? FFIW, I rarely see ICMP DoS attacks anymore. Even the MS products have been mostly patched against them, and internet routers don't forward large ICMP packets for the most part any more. They are pretty worthless for eating bandwidth or fux0ring TCP stacks. I DO see a lot of IGMP based stuff, which is pretty damn effective at using up your bandwidth, but doesn't seem to do anything to FreeBSD's TCP stack. Anyways, based on that, it makes it seem local to me, like someone is running ping -f as root or something. Still doesn't make a lot of sense that that would cause sshd to dump core. Seems more likely that they are two different things, related perhaps only in who is doing them. Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message