From owner-freebsd-i386@FreeBSD.ORG Fri Aug 20 22:20:16 2004 Return-Path: Delivered-To: freebsd-i386@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE41516A4CE for ; Fri, 20 Aug 2004 22:20:16 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6F5E43D2F for ; Fri, 20 Aug 2004 22:20:16 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i7KMKG7x079578 for ; Fri, 20 Aug 2004 22:20:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7KMKGDq079577; Fri, 20 Aug 2004 22:20:16 GMT (envelope-from gnats) Resent-Date: Fri, 20 Aug 2004 22:20:16 GMT Resent-Message-Id: <200408202220.i7KMKGDq079577@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-i386@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jeff Harper Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BF0616A4CE for ; Fri, 20 Aug 2004 22:16:03 +0000 (GMT) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9053343D3F for ; Fri, 20 Aug 2004 22:16:03 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i7KMG3pI065888 for ; Fri, 20 Aug 2004 22:16:03 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.11/8.12.11/Submit) id i7KMG30p065887; Fri, 20 Aug 2004 22:16:03 GMT (envelope-from nobody) Message-Id: <200408202216.i7KMG30p065887@www.freebsd.org> Date: Fri, 20 Aug 2004 22:16:03 GMT From: Jeff Harper To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Subject: i386/70747: ddos attack causes box to crash on kernel 5.2.1 X-BeenThere: freebsd-i386@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: I386-specific issues for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Aug 2004 22:20:17 -0000 >Number: 70747 >Category: i386 >Synopsis: ddos attack causes box to crash on kernel 5.2.1 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-i386 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Aug 20 22:20:16 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Jeff Harper >Release: 5.2.1 >Organization: AcmeShells >Environment: FreeBSD monarch.acmeshells.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #2: Fri Aug 20 12:41:46 MST 2004 jeff@monarch.acmeshells.com:/usr/src/sys/i386/compile/MONARCH i386 >Description: When someone issues an attack to the machine the machine ends up crashing, only rebooting will bring it back to life. logs of attack: 15:51:48.648519 66.235.193.71.2940 > 69.28.170.151.53: 12337 op6$ [b2&3=0x3233] [13879a] [13365q] [14393n] [16706au][|domain] 15:51:48.648525 66.235.193.71.2940 > 69.28.170.151.53: 12337 op6$ [b2&3=0x3233] [13879a] [13365q] [14393n] [16706au][|domain] 15:51:48.648533 66.235.193.71.2940 > 69.28.170.151.53: 12337 op6$ [b2&3=0x3233] [13879a] [13365q] [14393n] [16706au][|domain] they send about 200,000 of this to port 53 and bam the box crashes, this is plain install with ipfw enabled, ipfw has port 53 blocked on that ip and it still does not help. >How-To-Repeat: someone would have to attack the ip using whatever method they are. >Fix: >Release-Note: >Audit-Trail: >Unformatted: