From owner-freebsd-security  Tue Mar 23  5:27:42 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
	by hub.freebsd.org (Postfix) with ESMTP id 9158A14C87
	for <security@FreeBSD.ORG>; Tue, 23 Mar 1999 05:27:16 -0800 (PST)
	(envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id OAA15108;
	Tue, 23 Mar 1999 14:26:56 +0100 (CET)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id OAA41482;
	Tue, 23 Mar 1999 14:26:56 +0100 (MET)
Date: Tue, 23 Mar 1999 14:26:55 +0100
From: Eivind Eklund <eivind@FreeBSD.ORG>
To: Erwan Arzur <erwan@netvalue.fr>
Cc: security@FreeBSD.ORG
Subject: Re: natd + nmap ?
Message-ID: <19990323142655.D40692@bitbox.follo.net>
References: <36F66F86.88FA36E3@netvalue.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.1i
In-Reply-To: <36F66F86.88FA36E3@netvalue.fr>; from Erwan Arzur on Mon, Mar 22, 1999 at 05:27:50PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Mar 22, 1999 at 05:27:50PM +0100, Erwan Arzur wrote:
> I just tried to scan a FreeBDS3.0 w/ natd, and it appears that using the
> -sU flag with nmap seems to completely lock natd at 100% cpu. Thus,
> there is no way to send any packet in or out of the gateway.

And -sU does what?

There are two possibilities: A genuine bug in libalias or natd making
it just spin, or a total overload of libalias.

My very first suspicion would be that this sends a gazillion SYN
packets, and that the active connections table in libalias get
clogged.  If this is the case, fixing it require re-writing a bit of
the data structure handling code for libalias.  I started this about a
year ago, but I dropped finishing it because it seemed pretty useless
- a pure optimization against a piece of software that I'd never seen
be a significant piece of the load on a machine.  I still have the
code, however, if somebody else is interested in finishing it (or
testing/debugging it once I get the time to do the finishing - I do
not have a practical setup for testing libalias at the moment.)

> I am right assuming this is a kind of DOS attack ? Is there any way to
> prevent this kind of thing to happen, like an option to natd to make it
> drop incoming packets when reaching a given load ?

Not with the present code base.

Eivind.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message