From owner-freebsd-security Tue Feb 2 20:04:25 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA06823 for freebsd-security-outgoing; Tue, 2 Feb 1999 20:04:25 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA06814 for ; Tue, 2 Feb 1999 20:04:23 -0800 (PST) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id XAA20584; Tue, 2 Feb 1999 23:16:06 -0500 (EST) Message-ID: <19990202231605.A20526@weathership.homeport.org> Date: Tue, 2 Feb 1999 23:16:05 -0500 From: Adam Shostack To: Yuan John Jiang , freebsd-security@FreeBSD.ORG Subject: Re: How to do DOS checking without crashing the system? References: <199901170358.WAA29400@cletus.cw.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: <199901170358.WAA29400@cletus.cw.net>; from Yuan John Jiang on Sat, Jan 16, 1999 at 10:58:13PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jan 16, 1999 at 10:58:13PM -0500, Yuan John Jiang wrote: | I'm think of using a vulnerability scanner, e.g. ISS, CyberCop, SATA | or a homemade, | to automate part of my security auditing of the boxes in service. | However, how should I check for denial-of-service type of vulnerabilities, | such as Land or Teardrop without crashing boxes and disrupting the service? | | I guess a simple thing to do is to check the OS version. However, I hope | someone can suggest something more reliable. You can learn a certain amount using tcp fingerprinting; eg, this host is not vulnerable to this problem. However, you can't learn that something is vulnerable to teardrop without either having some sort of agent or login on the machine to reliably get patch information, or with a 'live fire' test. (If you can think of a way to do this, it would make a fascinating paper, and/or you could sell it. I'm confident that Netect would pay for such a technique, since we want to encourage customers to do DOS testing, and encounter exactly the above problem.) Let me point out also that keeping up with the new techniques out there and adding tests for them is more than a full time job. The Nessus project is gathering speed, and if you're thinking of homegrowing something, you may want to consider supporting them instead. See www.nessus.org. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message