From owner-freebsd-security Fri Jan 21 21: 3:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24]) by hub.freebsd.org (Postfix) with ESMTP id 741D9155F4 for ; Fri, 21 Jan 2000 21:03:01 -0800 (PST) (envelope-from brad@testbed.baileylink.net) Received: (from brad@localhost) by testbed.baileylink.net (8.9.3/8.9.3) id WAA07440 for freebsd-security@FreeBSD.ORG; Fri, 21 Jan 2000 22:59:12 -0600 (CST) (envelope-from brad) Date: Fri, 21 Jan 2000 22:59:12 -0600 From: Brad Guillory To: freebsd-security@FreeBSD.ORG Subject: Re: Some observations on stream.c and streamnt.c Message-ID: <20000121225912.A5907@baileylink.net> References: <200001212258.OAA64329@apollo.backplane.com> <20000121171759.D56672@baileylink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000121171759.D56672@baileylink.net>; from round@baileylink.net on Fri, Jan 21, 2000 at 05:17:59PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 21, 2000 at 05:17:59PM -0600, I wrote: > I don't understand how a "script kiddie" is going to garner the bandwidth > to run an attack into the multi-megabit range. This is not a leveraged > attack (right?). What kind of packet rate are we talking about to reboot > a system, I understand that this will depend on the equipment, but I am > interested in any numbers that would allow me to evaluate the real impact > that this DOS will have. Most people that have enough bandwidth to launch > a multi-megabit attack have better things to do than (or is it then) to pick > on me. Thanx all, BMG Thank you for the responces everyone, it seems that someone even decided to show me just how vulnerable that I was. I did not see anyone address approximatly what number of pps that we are talking about to significantly affect a machine? I only have 9 mbit/sec uplink here so I am wondering if I really have to worry about this. I imagine that there are several other people out there that are in the same boat as me. I am really looking for an order of magnitude here. I think that I heard Wes say that 1,000 packets per second lagged a machine, and 10,000 packets per second cause a reboot, but he didn't say what type of machine. So how big is the smallest ack packet? 20 bytes? So if I have all my unit conversions correct: 1,000[packets/sec] x 20[bytes/packet] x 10[bit/byte] = 200,000bit/sec 10,000pps = 2,000,000bit/sec If you are connected via anything bigger than a T1 you have something to worry about. Does this sound reasonable? Otherwise it is "just" a DOS. Everything is out of the window if I the attacker is on your LAN, but in that cause you probably have bigger issues to deal with. Thanx, BMG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message