From owner-freebsd-security Fri Jan 21 22:38:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from tetron02.tetronsoftware.com (ftp.tetronsoftware.com [208.236.46.106]) by hub.freebsd.org (Postfix) with ESMTP id 942C014CF8 for ; Fri, 21 Jan 2000 22:38:34 -0800 (PST) (envelope-from zeus@tetronsoftware.com) Received: from tetron02.tetronsoftware.com (tetron02.tetronsoftware.com [208.236.46.106]) by tetron02.tetronsoftware.com (8.9.3/8.9.3) with ESMTP id AAA05627; Sat, 22 Jan 2000 00:42:08 -0600 (CST) (envelope-from zeus@tetronsoftware.com) Date: Sat, 22 Jan 2000 00:42:08 -0600 (CST) From: Gene Harris To: Matthew Dillon Cc: freebsd-security@freebsd.org, Brett Glass Subject: Follow Up to NT DoS w/stream Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt, Sorry I didn't answer your earlier query about an NT attack across a T3 using streams. Had a dinner date with a lovely girl. I did not attempt to monitor packet activity at the attack machine (BSDI OS). However, we brought a new NT machine online to our local 100 MBit network, with SP6a (I couldn't find my SP4 files and didn't feel like downloading them.) We proceeded to attack the NT Server from a Redhat Linux 6.1 box and a FreebSD 3.4 stable box on our local 10.0.0.0/8 network with stream.c using random ports. We used the command ./stream 10.0.0.2 0 0 10000 from each *nix box. The system showed no discernable slow down, running IIS. (However, the process monitor registered a CPU activity between 26 and 34%.) I also ran a Back Office 2.5 install across the same network, from a CD on a nearby Win98 machine to simulate directed activity from the NT Server to a client. Other than some slowness due to the high network loads, the NT box did not appear to be bothered. I ran this test for about 2 hours while we were at dinner. I then played around, using the FreeBSD box to launch an attack with the command ./stream 10.255.255.255 0 0 10000. Oh WOW! The network came to a screaching halt. An old laptop 100 MHz Pentium laptop stopped responding, and a much newer Windows 98 machine slowed noticably. The collision light went from an occasional blink to pegged on the network hub. The NT machine took forever to read from the CD ROM on the Win98 machine. The linux box stopped responding altogether. No machine crashed. I ran the attack for 30 minutes. As soon as the attack was terminated, all boxes returned to normal activity. (On interesting side note. The Redhat machine would not let me attempt a stream attack with 10.255.255.255. It would only return a socket: permission denied error.) *==============================================* *Gene Harris http://www.tetronsoftware.com* *FreeBSD Novice * *All ORBS.org SMTP connections are denied! * *==============================================* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message