From owner-freebsd-security Mon Dec 4 18:54:30 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 4 18:54:26 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (placeholder-dcat-1076843399.broadbandoffice.net [64.47.83.135]) by hub.freebsd.org (Postfix) with ESMTP id 774BF37B400; Mon, 4 Dec 2000 18:54:26 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id eB52sQH79995; Mon, 4 Dec 2000 18:54:26 -0800 (PST) (envelope-from dillon) Date: Mon, 4 Dec 2000 18:54:26 -0800 (PST) From: Matt Dillon Message-Id: <200012050254.eB52sQH79995@earth.backplane.com> To: Alfred Perlstein Cc: security@FreeBSD.ORG Subject: Re: NAPTHA/RAZOR response. References: <20001204172505.D8051@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm sorry (red faced), I just can't resist! -Matt Ok, ah' can't recon' whut some bunch uh hosers dese RAZOR/bindview guys are, dia' "adviso'y" be nodin' new, dere wuz some news article about 3 years ago rapin' about dis problem, all dat RAZOR seems to gots' done be find some pretty lame and bugger'd way uh spoofin' de source uh de attack which duzn't really wo'k. (it be trivial to find da damn source uh de attack) Way t'go bein' some bunch uh attenshun grabbin' lemurs guys, congrats on de ZDnet article. Right On! So on wid mah' own response 'adviso'y', enjoy, dig dis: fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear ################ ################ ###### #### #### #### #### ## ## #### ## #### ## #### #### #### #### #### #### ## ## #### #### #### #### #### #### #### #### #### #### #### #### #### ## #### ## #### #### #### #### #### #### #### #### ############## ############## ###### #### #### #### ########## ###### #### #### #### #### #### ###### #### #### #### #### #### ###### #### #### #### #### ###### ###### #### #### #### #### #### #### #### #### #### #### #### #### #### #### #### #### ###### #### #### #### #### #### #### #### #### #### #### #### #### ## ## #### #### #### ###### #### #### #### ###### #### #### #### #### ############## ######## ######## ## fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear**fear [ Dayam where's de sploitz at? ] [ Sploit...... NAPTHA 1.2 ] [ Dumbasses responsible. What it is, Mama!..... RAZOR ] [ Analysis by. Slap mah fro!.... Alfred Perlstein ] _________.. . . | : Summary ' RAZOR noticed dat when ya' create some lot uh connecshuns t'a service ya' effectively cause da damn remote side t'fo'k bomb and/o' consume resources waitin' fo' de connecshuns t'time out. By slowly tricklin' 'espected ACKs back t'de applicashun/serva' one kin also keep some lot uh resources tied waaay down in bod de applicashun and kernel levels. RAZOR wuzn't da damn fust bunch uh tools t'notice dis effect, amazin'ly dis effect be seen by some lot uh fust year clunker science students when dey snatch deir fust netwo'k honky codemin' class. What RAZOR duzn't seem t'clue in on, o' plum pretends dat it be not a big-ass deal be dat dis attack requires local edernet access t'be spoofed . oderwise unless de victim OS gots'ta easy t'predict TCP sequence numbers.. ...de attacka' must reveal de source uh de attack (his IP). : | .........____| _________.. . . | : Exploit (abstract) ' When NAPTHA be deployed remotely one kin simply use tcpdump t'figure de source locashun uh de DoS. When NAPTHA be deployed locally usin' ARP tricks t'hide one's IP one kin simply log onto local switches and view de ARP cache to discova' de source. What it is, Mama! Afta' findin' de source uh de attack ya''ll need, dig dis: 1) some crowbar 2) some duct tape 3) some gerbil Use 1 (de crowbar) t'boogie de offender's legs and arms, den apply 2 (de duct tape) t'offender, we'll leave da damn use uh item 3 (de gerbil) t'yo' imaginashun, I's sho' nuff ya''ll figure it out. : | .........____| _________.. . . | : Wo'karound ' Drop idle connecshuns fasta' and deal wid resource sho'tages gracefully. Slap mah fro! (duh. Right On! ) : | .........____| _________.. . . | : Shoutouts to, dig dis: ' halah (u rul3 m3 b4by), j4mes, ps, pm (plum kiddin', n0 gr33t 4u), jba (el8warez 4 u) and jkh (journey rulez) Big :P go to, dig dis: RAZOR (one wo'd, dig dis: lame) CERT (why'd ya' guys release dis junk?) . SIIG (d3s3 h0s3rz package different chipsets in de same boxes) : billf@efnet (d00d, where's mah' O: ?) | Dis adviso'y crafted wid vim, damn ah' miss DeDraw :/ .........____| *narf* To Unsubscribe, dig dis: t'row mail t'majo'domo@FreeBSD.o'g wid "unsubscribe freebsd-security" in de body uh de message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message