From owner-freebsd-security Sun Jan 23 7:28:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.iad.above.net (mail.iad.above.net [207.126.105.158]) by hub.freebsd.org (Postfix) with ESMTP id 45E5B14C32 for ; Sun, 23 Jan 2000 07:28:32 -0800 (PST) (envelope-from ras@iad.above.net) Received: (from ras@localhost) by mail.iad.above.net (8.9.2/8.9.2) id KAA03139 for freebsd-security@freebsd.org; Sun, 23 Jan 2000 10:28:30 -0500 (EST) Date: Sun, 23 Jan 2000 10:28:30 -0500 From: Richard Steenbergen To: freebsd-security@freebsd.org Subject: stream.c Message-ID: <20000123102829.C18349@above.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sigh... ok, just to help out those people running around like chickens with their heads cut off trying to fix or simulate the freaking stream.c garbage: "netstat 1" is your friend... and if its not putting out as many packets/sec as it should be, look to your network connection. Half duplex hubs will become quickly unhappy and backup transmition to the point of getting those lovely out of buffer space messages. I think this has disappointed quite a few packet kiddies already, since half the time the only thing they end up killing is the place they're attacking from. :P The correct "sorta-fix" is to rate limit the number of dropwithreset's per second, else kick them down to straight drop. I believe this has been done effectively in http://www.freebsd.org/~alfred/tcp_fix.diff (though I question what its aimed to be accomplished with that checksum work :P). And note the fact that since it was originally not intended to be an ACK flooder, the ack # field itself stays 0. Think about it. Also note that there are at least two versions floating around out there, one with the TH_ACK bit set (the original copy passed around to the packet kiddies) and one with no flags set (the copy the idiot that passed it out in the first place continued to pass out to new people after all the hoopla over the first release). yada yada hope this helps someone, I'm so sick of stream.c its not even funny. -- Richard A. Steenbergen http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) AboveNet Communications - AboveSecure Network Security Engineer, Vienna VA "A mind is like a parachute, it works best when open." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message