Date: Thu, 20 Jan 2000 17:32:03 -0700 From: Brett Glass <brett@lariat.org> To: jamiE rishaw - master e*tard <jamiE@arpa.com>, Tom <tom@uniserve.com> Cc: Mike Tancsa <mike@sentex.net>, freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? Message-ID: <4.2.2.20000120172607.0198f1e0@localhost> In-Reply-To: <20000120130945.B24082@x.arpa.com> References: <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca> <3.0.5.32.20000120152818.01d7fa40@staff.sentex.ca> <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:09 PM 1/20/2000 , jamiE rishaw - master e*tard wrote: >I have a copy of this, which I am not giving out. I will probably >fire one off to jkh for sanity, I've been a good boy, so I hope that, er, Sanity doesn't come down the chimney of any of the systems I administer before there's a patch! ;-) >but this looks like a really tough one >to handle. > >The program basically fires off *loads* of pkts/sec of ACK at the victim >host.. random source, blah blah. > >The problem is, the kernel already (from my understanding) drops bad ACKs >pretty quickly. The thing is, tho, that it's kernel bound.. which means >CPU.. so unless you have tons of extra CPU to spare, this attack will >take your system to a "pause" until the attacker ceases. The name "stream.c" makes it sound like a local, not remote, DoS. Does it have to be done from inside the system to be effective? I would think that, if it came from the outside, it'd be harder to saturate the victim. I can think of ways to filter this by adding some stuff to IPFW. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20000120172607.0198f1e0>