From owner-freebsd-security Fri Jan 21 22:59:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 7523215551 for ; Fri, 21 Jan 2000 22:59:24 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id WAA60141; Fri, 21 Jan 2000 22:59:15 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001220659.WAA60141@gndrsh.dnsmgr.net> Subject: Re: Follow Up to NT DoS w/stream In-Reply-To: <200001220646.WAA68092@apollo.backplane.com> from Matthew Dillon at "Jan 21, 2000 10:46:55 pm" To: dillon@apollo.backplane.com (Matthew Dillon) Date: Fri, 21 Jan 2000 22:59:15 -0800 (PST) Cc: zeus@tetronsoftware.com (Gene Harris), freebsd-security@FreeBSD.ORG, brett@lariat.org (Brett Glass) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > :I then played around, using the FreeBSD box to launch an > :attack with the command ./stream 10.255.255.255 0 0 10000. > :Oh WOW! The network came to a screaching halt. An old > :laptop 100 MHz Pentium laptop stopped responding, and a much > :newer Windows 98 machine slowed noticably. The collision > :light went from an occasional blink to pegged on the > :network hub. The NT machine took forever to read from the CD > :ROM on the Win98 machine. The linux box stopped responding > :altogether. No machine crashed. I ran the attack for 30 > :minutes. As soon as the attack was terminated, all boxes > :returned to normal activity. > : > :(On interesting side note. The Redhat machine would not let > :me attempt a stream attack with 10.255.255.255. It would > :only return a socket: permission denied error.) > : > :*==============================================* > :*Gene Harris http://www.tetronsoftware.com* > > Yes, this is called a broadcast attack. One of the most important > rule sets you should have in your border router is to filter out > any external packets sent to your internal broadcast address, so > people outside your network can't saturate it with internal machine > responses. > > IRC hackers often use open broadcast addresses to mount attacks on > third parties. And people wonder how we get to 300 and 400 rule filter sets :-). We are now just over 100 rules just for IP broadcast addresses... and thats only protecting a very densly subnetted /22 (lots of p2p /30's in it). -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message