From owner-freebsd-security Fri Jan 21 3:22:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from intranova.net (blacklisted.intranova.net [209.3.31.70]) by hub.freebsd.org (Postfix) with SMTP id 8985814C43 for ; Fri, 21 Jan 2000 03:22:30 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 95731 invoked from network); 21 Jan 2000 06:24:44 -0000 Received: from missnglnk.wants.to-fuck.com (HELO hydrant.intranova.net) (user79699@209.201.95.10) by blacklisted.intranova.net with SMTP; 21 Jan 2000 06:24:44 -0000 Date: Fri, 21 Jan 2000 06:21:15 -0500 (EST) From: Omachonu Ogali To: jamiE rishaw - master e*tard Cc: Tom , Mike Tancsa , freebsd-security@freebsd.org Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? In-Reply-To: <20000120130945.B24082@x.arpa.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Could you give us a snippet of the syslog output from the FreeBSD machine? P.S> Stop replying to 3 different lists, its starting to get annoying. Omachonu Ogali Intranova Networking Group On Thu, 20 Jan 2000, jamiE rishaw - master e*tard wrote: > I have a copy of this, which I am not giving out. I will probably > fire one off to jkh for sanity, but this looks like a really tough one > to handle. > > The program basically fires off *loads* of pkts/sec of ACK at the victim > host.. random source, blah blah. > > The problem is, the kernel already (from my understanding) drops bad ACKs > pretty quickly. The thing is, tho, that it's kernel bound.. which means > CPU.. so unless you have tons of extra CPU to spare, this attack will > take your system to a "pause" until the attacker ceases. > > The only way to trace this attack is same as a SYN or smurf attack: to > reverse flow "trace", which requires experienced backbone engineers and > cooperation of sometimes multiple providers. > > I duno. We'll see. > > -jamie > > On Thu, Jan 20, 2000 at 12:34:45PM -0800, Tom wrote: > > > > On Thu, 20 Jan 2000, Mike Tancsa wrote: > > > > > Can anyone confirm the bugtraq posting ? Are the freebsd folks working on > > > a fix ? If so, what versions are effected ? > > > > > > ---Mike > > > > > > >The only log that he could provide was this one: > > > > > > > >---snip--- > > > > > > > >syslog:Jan 18 12:30:36 x kernel: Kernel panic: Free list empty > > > > > > > >---snip--- > > > > > > > >One thing of note: he also stated this happened on non-freebsd systems, > > > >which is contrary to what the other person said, who was "under the > > > >impression it was freebsd specific." > > > > > > > >I have the source, which I'm not going to post for 2-3 days (give time for > > > >fbsd to work on the fix). If it isn't out before the 21st, I'll post it up. > > > > > > Uhh.. there isn't enough information here to determine anything. > > > > > > > ------------------------------------------------------------------------ > > > Mike Tancsa, tel +1 519 651 3400 > > > Network Administrator, mike@sentex.net > > > Sentex Communications www.sentex.net > > > Cambridge, Ontario Canada > > > > > > Tom > > Uniserve > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > i am jamie at arpa dot com this is a no plur zone. > > "silly raver, k is for cats!" > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message