From owner-freebsd-security  Fri Jan 21 13:28: 2 2000
Delivered-To: freebsd-security@freebsd.org
Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36])
	by hub.freebsd.org (Postfix) with ESMTP id 1FF431527D
	for <freebsd-security@freebsd.org>; Fri, 21 Jan 2000 13:28:00 -0800 (PST)
	(envelope-from k.stevenson@louisville.edu)
Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114])
	by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id 8AD0D24D08
	for <freebsd-security@freebsd.org>; Fri, 21 Jan 2000 16:27:58 -0500 (EST)
Received: by osaka.louisville.edu (Postfix, from userid 15)
	id DD95118605; Fri, 21 Jan 2000 16:27:57 -0500 (EST)
Date: Fri, 21 Jan 2000 16:27:57 -0500
From: Keith Stevenson <k.stevenson@louisville.edu>
To: freebsd-security@freebsd.org
Subject: Re: Some observations on stream.c and streamnt.c
Message-ID: <20000121162757.A7080@osaka.louisville.edu>
References: <4.2.2.20000120194543.019a8d50@localhost> <Pine.BSF.4.10.10001211419010.3943-100000@tetron02.tetronsoftware.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre3i
In-Reply-To: <Pine.BSF.4.10.10001211419010.3943-100000@tetron02.tetronsoftware.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I've been doing my own testing.

Against AIX 4.2.1  - no apparent effect
Against HPUX 10.20 - Really effective DOS.
Against FreeBSD 3-STABLE with ICMP rate limiting enabled - no effect
Against Linux 2.2.10 - Really effective DOS.

I was pushing 2.3 Mb/s out against the target machines.  I didn't let it
run for more than 3-4 minutes at a time.  The HP and Linux box really bogged
down.  Network connections to them were being dropped and could not be
re-established until the I stopped the attack.

I was very happy with my FreeBSD servers.  All are 3.4-STABLE with
options "ICMP_BANDLIM" in the kernel.  One of the machines I tested had
TCP_RESTRICT_RST enabled.

The ICMP_BANDLIM seemed to be the life saver.  I got tons of
"icmp-response bandwidth limit" messages in my syslog, but the load didn't
climb and I was still able to provide network services from the target host.
The machine which was running TCP_RESTRICT_RST in addition to ICMP_BANDLIM
behaved exactly like the one without TCP_RESTRICT_RST.

Regards,
--Keith Stevenson--

-- 
Keith Stevenson
System Programmer - Data Center Services - University of Louisville
k.stevenson@louisville.edu
PGP key fingerprint =  4B 29 A8 95 A8 82 EA A2  29 CE 68 DE FC EE B6 A0


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message