From owner-freebsd-security  Fri Jan 21 22:47: 3 2000
Delivered-To: freebsd-security@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP id 4FBF714C19
	for <freebsd-security@freebsd.org>; Fri, 21 Jan 2000 22:47:00 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.3/8.9.1) id WAA68092;
	Fri, 21 Jan 2000 22:46:55 -0800 (PST)
	(envelope-from dillon)
Date: Fri, 21 Jan 2000 22:46:55 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200001220646.WAA68092@apollo.backplane.com>
To: Gene Harris <zeus@tetronsoftware.com>
Cc: freebsd-security@freebsd.org, Brett Glass <brett@lariat.org>
Subject: Re: Follow Up to NT DoS w/stream
References:  <Pine.BSF.4.10.10001220019130.5546-100000@tetron02.tetronsoftware.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

:I then played around, using the FreeBSD box to launch an
:attack with the command ./stream 10.255.255.255 0 0 10000.
:Oh WOW!  The network came to a screaching halt.  An old
:laptop 100 MHz Pentium laptop stopped responding, and a much
:newer Windows 98 machine slowed noticably.  The collision
:light went from an occasional blink to pegged on the
:network hub. The NT machine took forever to read from the CD
:ROM on the Win98 machine.  The linux box stopped responding
:altogether.  No machine crashed.  I ran the attack for 30
:minutes.  As soon as the attack was terminated, all boxes
:returned to normal activity.
:
:(On interesting side note.  The Redhat machine would not let
:me attempt a stream attack with 10.255.255.255.  It would
:only return a socket: permission denied error.)
:
:*==============================================*
:*Gene Harris      http://www.tetronsoftware.com*

    Yes, this is called a broadcast attack.  One of the most important
    rule sets you should have in your border router is to filter out
    any external packets sent to your internal broadcast address, so
    people outside your network can't saturate it with internal machine
    responses.

    IRC hackers often use open broadcast addresses to mount attacks on
    third parties.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message