From owner-freebsd-security  Tue Apr 21 04:34:47 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA19548
          for freebsd-security-outgoing; Tue, 21 Apr 1998 04:34:47 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (nsmart@ts01-63.waterford.indigo.ie [194.125.139.126])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA19529
          for <freebsd-security@FreeBSD.ORG>; Tue, 21 Apr 1998 11:34:41 GMT
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id MAA00823;
	Tue, 21 Apr 1998 12:32:02 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199804211132.MAA00823@indigo.ie>
Date: Tue, 21 Apr 1998 12:32:02 +0000
In-Reply-To: "Alexander B. Povolotsky" <mt@folco.lms.ru>
       "New DoS attack?" (Apr 21,  9:33am)
Reply-To: rotel@indigo.ie
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: "Alexander B. Povolotsky" <mt@folco.lms.ru>, freebsd-security@FreeBSD.ORG
Subject: Re: New DoS attack?
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Apr 21,  9:33am, "Alexander B. Povolotsky" wrote:
} Subject: New DoS attack?
> Strangely, I've posted this message TWICE, but still don't see it... 

This is the first time I've seen it.  Is the other address subscribed
to security@freebsd.org or freebsd-security@freebsd.org?

> During last months, I've experienced several STRANGE hangs. TCP stack worked 
> OK, while nothing else did. I thought of poor hardware, instable snap, 
> everything else.
> 
> Several days ago, I've heard _rumor_ of DoS attack on BSD stack, based on TCP 
> packet sent to or maybe from port 0. I've installed ipfw rule:
> 
> drop log tcp from any 0 to any
> 
> and today I've found two packets destined from 200.255.209.92 port 0 dropped. 
> They were destined to port 143 (imap), while I'm 101% sure that no one from 
> mi-rj52.montreal.com.br have any mail account on my box.

Could you (anyone?) dump all packets coming from/going to port 0 using tcpdump
and send me any logs?  I'm not sure if this means you'll have to turn off the
ipfw rule, I don't know at what stage the packets get filtered.

Niall

-- 
Niall Smart.        PGP: finger njs3@motmot.doc.ic.ac.uk
FreeBSD: Turning PC's into Workstations: www.freebsd.org
Annoy your enemies and astonish your friends:
echo "#define if(x) if (!(x))" >> /usr/include/stdio.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message