From owner-freebsd-security  Thu Jan 20 16:32:30 2000
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8847D14C9E; Thu, 20 Jan 2000 16:32:23 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from workhorse (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id RAA11281;
	Thu, 20 Jan 2000 17:32:04 -0700 (MST)
Message-Id: <4.2.2.20000120172607.0198f1e0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 
Date: Thu, 20 Jan 2000 17:32:03 -0700
To: jamiE rishaw - master e*tard <jamiE@arpa.com>,
	Tom <tom@uniserve.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: bugtraq posts:  stream.c - new FreeBSD exploit?
Cc: Mike Tancsa <mike@sentex.net>, freebsd-security@FreeBSD.ORG,
	freebsd-stable@FreeBSD.ORG, security-officer@FreeBSD.ORG
In-Reply-To: <20000120130945.B24082@x.arpa.com>
References: <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca>
 <3.0.5.32.20000120152818.01d7fa40@staff.sentex.ca>
 <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 02:09 PM 1/20/2000 , jamiE rishaw - master e*tard wrote:

>I have a copy of this, which I am not giving out.  I will probably
>fire one off to jkh for sanity, 

I've been a good boy, so I hope that, er, Sanity doesn't come down the
chimney of any of the systems I administer before there's a patch! ;-)

>but this looks like a really tough one
>to handle.
>
>The program basically fires off *loads* of pkts/sec of ACK at the victim
>host.. random source, blah blah.
>
>The problem is, the kernel already (from my understanding) drops bad ACKs
>pretty quickly.  The thing is, tho, that it's kernel bound.. which means
>CPU.. so unless you have tons of extra CPU to spare, this attack will
>take your system to a "pause" until the attacker ceases.

The name "stream.c" makes it sound like a local, not remote, DoS. Does
it have to be done from inside the system to be effective? I would think
that, if it came from the outside, it'd be harder to saturate the
victim. 

I can think of ways to filter this by adding some stuff to IPFW.

--Brett



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message