From owner-freebsd-security Tue Mar 23 6:30:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from fgw2.netvalue.fr (cegetel-gw.netvalue.fr [195.115.44.161]) by hub.freebsd.org (Postfix) with ESMTP id AFA2F14C14; Tue, 23 Mar 1999 06:30:39 -0800 (PST) (envelope-from erwan@netvalue.fr) Received: (from bin@localhost) by fgw2.netvalue.fr (8.9.1/8.8.8) id PAA05420; Tue, 23 Mar 1999 15:30:20 +0100 (CET) (envelope-from erwan@netvalue.fr) X-Authentication-Warning: fgw2.netvalue.fr: bin set sender to using -f Received: from (etoile.netvalue.fr [192.168.1.11]) by fgw2.netvalue.fr via smap (V2.1) id xma005416; Tue, 23 Mar 99 15:30:10 +0100 Received: from netvalue.fr ([192.168.1.100]) by etoile.netvalue.fr (Netscape Messaging Server 3.5) with ESMTP id AAA4933; Tue, 23 Mar 1999 15:30:08 +0100 Message-ID: <36F7A568.4ACDBDE4@netvalue.fr> Date: Tue, 23 Mar 1999 15:30:00 +0100 From: Erwan Arzur Organization: NetValue S.A. X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: Eivind Eklund Cc: security@FreeBSD.ORG Subject: Re: natd + nmap ? References: <36F66F86.88FA36E3@netvalue.fr> <19990323142655.D40692@bitbox.follo.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eivind Eklund wrote: > On Mon, Mar 22, 1999 at 05:27:50PM +0100, Erwan Arzur wrote: > > I just tried to scan a FreeBDS3.0 w/ natd, and it appears that using the > > -sU flag with nmap seems to completely lock natd at 100% cpu. Thus, > > there is no way to send any packet in or out of the gateway. > > And -sU does what? > > There are two possibilities: A genuine bug in libalias or natd making > it just spin, or a total overload of libalias. > > My very first suspicion would be that this sends a gazillion SYN > packets, and that the active connections table in libalias get > clogged. -sU UDP scans: This method is used to determine which UDP (User Datagram Protocol, RFC 768) ports are open on a host. The technique is to send 0 byte udp packets to each port on the target machine. If we receive an ICMP port unreachable message, then the port is closed. Otherwise we assume it is open. Some people think UDP scanning is pointless. I usu- ally remind them of the recent Solaris rcpbind hole. Rpcbind can be found hiding on an undocu- mented UDP port somewhere above 32770. So it > If this is the case, fixing it require re-writing a bit of > the data structure handling code for libalias. I started this about a > year ago, but I dropped finishing it because it seemed pretty useless > - a pure optimization against a piece of software that I'd never seen > be a significant piece of the load on a machine. I still have the > code, however, if somebody else is interested in finishing it (or > testing/debugging it once I get the time to do the finishing - I do > not have a practical setup for testing libalias at the moment.) I can setup my own computer to test your code, if you wish ... One can still prevent this kind of attack by trusting (divert to natd) only a limited range of UDP ports, but this would make natd pretty useless, anyway ... Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message