Date: Thu, 20 Jan 2000 13:09:45 -0800 From: jamiE rishaw - master e*tard <jamiE@arpa.com> To: Tom <tom@uniserve.com> Cc: Mike Tancsa <mike@sentex.net>, freebsd-security@freebsd.org, freebsd-stable@freebsd.org, security-officer@freebsd.org Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? Message-ID: <20000120130945.B24082@x.arpa.com> In-Reply-To: <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca>; from tom@uniserve.com on Thu, Jan 20, 2000 at 12:34:45PM -0800 References: <3.0.5.32.20000120152818.01d7fa40@staff.sentex.ca> <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I have a copy of this, which I am not giving out. I will probably
fire one off to jkh for sanity, but this looks like a really tough one
to handle.
The program basically fires off *loads* of pkts/sec of ACK at the victim
host.. random source, blah blah.
The problem is, the kernel already (from my understanding) drops bad ACKs
pretty quickly. The thing is, tho, that it's kernel bound.. which means
CPU.. so unless you have tons of extra CPU to spare, this attack will
take your system to a "pause" until the attacker ceases.
The only way to trace this attack is same as a SYN or smurf attack: to
reverse flow "trace", which requires experienced backbone engineers and
cooperation of sometimes multiple providers.
I duno. We'll see.
-jamie
On Thu, Jan 20, 2000 at 12:34:45PM -0800, Tom wrote:
>
> On Thu, 20 Jan 2000, Mike Tancsa wrote:
>
> > Can anyone confirm the bugtraq posting ? Are the freebsd folks working on
> > a fix ? If so, what versions are effected ?
> >
> > ---Mike
> >
> > >The only log that he could provide was this one:
> > >
> > >---snip---
> > >
> > >syslog:Jan 18 12:30:36 x kernel: Kernel panic: Free list empty
> > >
> > >---snip---
> > >
> > >One thing of note: he also stated this happened on non-freebsd systems,
> > >which is contrary to what the other person said, who was "under the
> > >impression it was freebsd specific."
> > >
> > >I have the source, which I'm not going to post for 2-3 days (give time for
> > >fbsd to work on the fix). If it isn't out before the 21st, I'll post it up.
>
>
> Uhh.. there isn't enough information here to determine anything.
>
>
> > ------------------------------------------------------------------------
> > Mike Tancsa, tel +1 519 651 3400
> > Network Administrator, mike@sentex.net
> > Sentex Communications www.sentex.net
> > Cambridge, Ontario Canada
>
>
> Tom
> Uniserve
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
i am jamie at arpa dot com this is a no plur zone.
"silly raver, k is for cats!"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000120130945.B24082>