From owner-freebsd-security Thu Jan 20 17:49:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 5943514D72; Thu, 20 Jan 2000 17:48:57 -0800 (PST) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id MAA29656; Fri, 21 Jan 2000 12:48:41 +1100 (EST) From: Darren Reed Message-Id: <200001210148.MAA29656@cairo.anu.edu.au> Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? To: avalon@coombs.anu.edu.au (Darren Reed) Date: Fri, 21 Jan 2000 12:48:41 +1100 (Australia/NSW) Cc: brett@lariat.org (Brett Glass), avalon@coombs.anu.edu.au (Darren Reed), imp@village.org (Warner Losh), jamiE@arpa.com (jamiE rishaw - master e*tard), tom@uniserve.com (Tom), mike@sentex.net (Mike Tancsa), freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG In-Reply-To: <200001210103.MAA20844@cairo.anu.edu.au> from "Darren Reed" at Jan 21, 2000 12:03:35 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you are using ipnat and have ipfilter installed, the work around is as follows: pass in all block in proto tcp all head 100 pass in proto tcp from any to any flags S keep state group 100 this (1) continues to let all packets in (2) blocks (silent drop) all TCP packets except for (3) SYN only packets which cause a state entry to be made. I'm of no doubt that this attack will cause some %CPU to be used in checking the IP Filter state tables, but it will not result in TCP RST's being generated in reply. I've tested this again against the same solaris7 box and results are: # ping -s 10.100.1.2 PING 10.100.1.2: 56 data bytes 64 bytes from solaris7 (10.100.1.2): icmp_seq=0. time=2. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=1. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=2. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=3. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=4. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=5. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=6. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=7. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=8. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=9. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=10. time=0. ms -- start 64 bytes from solaris7 (10.100.1.2): icmp_seq=11. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=12. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=13. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=14. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=15. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=16. time=1. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=17. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=18. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=19. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=20. time=0. ms -- end 64 bytes from solaris7 (10.100.1.2): icmp_seq=21. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=22. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=23. time=0. ms 64 bytes from solaris7 (10.100.1.2): icmp_seq=24. time=0. ms ^C ----10.100.1.2 PING Statistics---- 25 packets transmitted, 25 packets received, 0% packet loss round-trip (ms) min/avg/max = 0/0/2 # ipfstat -hio empty list for ipfilter(out) 123021 pass in from any to any 122994 block in proto tcp from any to any head 100 0 pass in proto tcp from any to any flags S/FSRPAU keep state group 100 Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message