Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 4 Dec 2000 18:54:26 -0800 (PST)
From:      Matt Dillon <dillon@earth.backplane.com>
To:        Alfred Perlstein <alfred@FreeBSD.ORG>
Cc:        security@FreeBSD.ORG
Subject:   Re: NAPTHA/RAZOR response.
Message-ID:  <200012050254.eB52sQH79995@earth.backplane.com>
References:   <20001204172505.D8051@fw.wintelcom.net>

next in thread | previous in thread | raw e-mail | index | archive | help
   I'm sorry (red faced), I just can't resist!

					-Matt


Ok, ah' can't recon' whut some bunch uh hosers dese RAZOR/bindview
guys are, dia' "adviso'y" be nodin' new, dere wuz some news article
about 3 years ago rapin' about dis problem, all dat RAZOR seems
to gots' done be find some pretty lame and bugger'd way uh spoofin' de
source uh de attack which duzn't really wo'k. (it be trivial to
find da damn source uh de attack)

Way t'go bein' some bunch uh attenshun grabbin' lemurs guys, congrats
on de ZDnet article.  Right On!  

So on wid mah' own response 'adviso'y', enjoy, dig dis:

fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear
     ################    ################            ######        
       ####        ####    ####        ####        ##      ##      
       ####          ##    ####          ##      ####      ####    
       ####          ####  ####          ####    ##          ##    
       ####          ####  ####          ####  ####          ####  
       ####          ####  ####          ####  ####          ####  
       ####          ##    ####          ##    ####          ####  
       ####        ####    ####        ####    ####          ####  
       ##############      ##############    ######          ####  
       ####      ####      ##########        ######          ####  
       ####        ####    ####  ####        ######          ####  
       ####          ####  ####  ####        ######          ####  
       ####          ####  ####  ######      ######          ####  
       ####          ####  ####    ####        ####          ####  
       ####          ####  ####    ####        ####          ####  
       ####          ####  ####    ######      ####          ####  
       ####          ####  ####      ####      ####          ####  
       ####          ####  ####      ####        ##          ##    
       ####        ####    ####      ######      ####      ####    
       ####      ######    ####        ####        ####  ####      
     ##############      ########    ########          ##          
fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear

                    [ Dayam where's de sploitz at? ]

[ Sploit......                                               NAPTHA 1.2 ]
[ Dumbasses responsible.  What it is, Mama!.....                                RAZOR      ]
[ Analysis by.  Slap mah fro!....                Alfred Perlstein <alfred@freebsd.o'g> ]

 _________.. . .
|
:  Summary
'

 RAZOR noticed dat when ya' create some lot uh connecshuns t'a service
 ya' effectively cause da damn remote side t'fo'k bomb and/o' consume
 resources waitin' fo' de connecshuns t'time out.  By slowly tricklin'
 'espected ACKs back t'de applicashun/serva' one kin also keep some lot
 uh resources tied waaay down in bod de applicashun and kernel levels.

 RAZOR wuzn't da damn fust bunch uh tools t'notice dis effect, amazin'ly
 dis effect be seen by some lot uh fust year clunker science students
 when dey snatch deir fust netwo'k honky codemin' class.

 What RAZOR duzn't seem t'clue in on, o' plum pretends dat it be not a
 big-ass deal be dat dis attack requires local edernet access t'be spoofed .
 oderwise unless de victim OS gots'ta easy t'predict TCP sequence numbers..
 ...de attacka' must reveal de source uh de attack (his IP).            :
                                                                           |
                                                              .........____|
 _________.. . .
|
:  Exploit (abstract)
'
 When NAPTHA be deployed remotely one kin simply use tcpdump t'figure
 de source locashun uh de DoS.

 When NAPTHA be deployed locally usin' ARP tricks t'hide one's IP
 one kin simply log onto local switches and view de ARP cache to
 discova' de source.  What it is, Mama!

 Afta' findin' de source uh de attack ya''ll need, dig dis:

 1) some crowbar
 2) some duct tape
 3) some gerbil

 Use 1 (de crowbar) t'boogie de offender's legs and arms, den
 apply 2 (de duct tape) t'offender, we'll leave da damn use uh item
 3 (de gerbil) t'yo' imaginashun, I's sho' nuff ya''ll figure it out.        :
                                                                           |
                                                              .........____|
 _________.. . .
|
:  Wo'karound
'
   Drop idle connecshuns fasta' and deal wid resource sho'tages
   gracefully.  Slap mah fro! (duh.  Right On!  )                                                      :
                                                                           |
                                                              .........____|
 _________.. . .
|
:  Shoutouts to, dig dis:
'  halah (u rul3 m3 b4by), j4mes, ps, pm (plum kiddin', n0 gr33t 4u),
   jba (el8warez 4 u) and jkh (journey rulez)

   Big :P go to, dig dis:
   RAZOR (one wo'd, dig dis: lame)
   CERT (why'd ya' guys release dis junk?)                                .
   SIIG (d3s3 h0s3rz package different chipsets in de same boxes)        :
   billf@efnet (d00d, where's mah' O: ?)                                     |
Dis adviso'y crafted wid vim, damn ah' miss DeDraw :/        .........____|

*narf*


To Unsubscribe, dig dis: t'row mail t'majo'domo@FreeBSD.o'g
wid "unsubscribe freebsd-security" in de body uh de message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012050254.eB52sQH79995>