Date: Thu, 20 Jan 2000 13:09:45 -0800 From: jamiE rishaw - master e*tard <jamiE@arpa.com> To: Tom <tom@uniserve.com> Cc: Mike Tancsa <mike@sentex.net>, freebsd-security@freebsd.org, freebsd-stable@freebsd.org, security-officer@freebsd.org Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? Message-ID: <20000120130945.B24082@x.arpa.com> In-Reply-To: <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca>; from tom@uniserve.com on Thu, Jan 20, 2000 at 12:34:45PM -0800 References: <3.0.5.32.20000120152818.01d7fa40@staff.sentex.ca> <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I have a copy of this, which I am not giving out. I will probably fire one off to jkh for sanity, but this looks like a really tough one to handle. The program basically fires off *loads* of pkts/sec of ACK at the victim host.. random source, blah blah. The problem is, the kernel already (from my understanding) drops bad ACKs pretty quickly. The thing is, tho, that it's kernel bound.. which means CPU.. so unless you have tons of extra CPU to spare, this attack will take your system to a "pause" until the attacker ceases. The only way to trace this attack is same as a SYN or smurf attack: to reverse flow "trace", which requires experienced backbone engineers and cooperation of sometimes multiple providers. I duno. We'll see. -jamie On Thu, Jan 20, 2000 at 12:34:45PM -0800, Tom wrote: > > On Thu, 20 Jan 2000, Mike Tancsa wrote: > > > Can anyone confirm the bugtraq posting ? Are the freebsd folks working on > > a fix ? If so, what versions are effected ? > > > > ---Mike > > > > >The only log that he could provide was this one: > > > > > >---snip--- > > > > > >syslog:Jan 18 12:30:36 x kernel: Kernel panic: Free list empty > > > > > >---snip--- > > > > > >One thing of note: he also stated this happened on non-freebsd systems, > > >which is contrary to what the other person said, who was "under the > > >impression it was freebsd specific." > > > > > >I have the source, which I'm not going to post for 2-3 days (give time for > > >fbsd to work on the fix). If it isn't out before the 21st, I'll post it up. > > > Uhh.. there isn't enough information here to determine anything. > > > > ------------------------------------------------------------------------ > > Mike Tancsa, tel +1 519 651 3400 > > Network Administrator, mike@sentex.net > > Sentex Communications www.sentex.net > > Cambridge, Ontario Canada > > > Tom > Uniserve > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- i am jamie at arpa dot com this is a no plur zone. "silly raver, k is for cats!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000120130945.B24082>