Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Jan 2000 12:48:41 +1100 (Australia/NSW)
From:      Darren Reed <avalon@coombs.anu.edu.au>
To:        avalon@coombs.anu.edu.au (Darren Reed)
Cc:        brett@lariat.org (Brett Glass), avalon@coombs.anu.edu.au (Darren Reed), imp@village.org (Warner Losh), jamiE@arpa.com (jamiE rishaw - master e*tard), tom@uniserve.com (Tom), mike@sentex.net (Mike Tancsa), freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG
Subject:   Re: bugtraq posts: stream.c - new FreeBSD exploit?
Message-ID:  <200001210148.MAA29656@cairo.anu.edu.au>
In-Reply-To: <200001210103.MAA20844@cairo.anu.edu.au> from "Darren Reed" at Jan 21, 2000 12:03:35 PM

next in thread | previous in thread | raw e-mail | index | archive | help

If you are using ipnat and have ipfilter installed, the work around is
as follows:

pass in all
block in proto tcp all head 100
pass in proto tcp from any to any flags S keep state group 100

this (1) continues to let all packets in (2) blocks (silent drop) all
TCP packets except for (3) SYN only packets which cause a state entry
to be made.  I'm of no doubt that this attack will cause some %CPU to
be used in checking the IP Filter state tables, but it will not result
in TCP RST's being generated in reply.  I've tested this again against
the same solaris7 box and results are:

# ping -s 10.100.1.2
PING 10.100.1.2: 56 data bytes
64 bytes from solaris7 (10.100.1.2): icmp_seq=0. time=2. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=1. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=2. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=3. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=4. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=5. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=6. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=7. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=8. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=9. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=10. time=0. ms -- start
64 bytes from solaris7 (10.100.1.2): icmp_seq=11. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=12. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=13. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=14. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=15. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=16. time=1. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=17. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=18. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=19. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=20. time=0. ms -- end
64 bytes from solaris7 (10.100.1.2): icmp_seq=21. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=22. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=23. time=0. ms
64 bytes from solaris7 (10.100.1.2): icmp_seq=24. time=0. ms
^C
----10.100.1.2 PING Statistics----
25 packets transmitted, 25 packets received, 0% packet loss
round-trip (ms)  min/avg/max = 0/0/2

# ipfstat -hio
empty list for ipfilter(out)
123021 pass in from any to any
122994 block in proto tcp from any to any head 100
0 pass in proto tcp from any to any flags S/FSRPAU keep state group 100

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001210148.MAA29656>