Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Jan 2000 22:59:15 -0800 (PST)
From:      "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
To:        dillon@apollo.backplane.com (Matthew Dillon)
Cc:        zeus@tetronsoftware.com (Gene Harris), freebsd-security@FreeBSD.ORG, brett@lariat.org (Brett Glass)
Subject:   Re: Follow Up to NT DoS w/stream
Message-ID:  <200001220659.WAA60141@gndrsh.dnsmgr.net>
In-Reply-To: <200001220646.WAA68092@apollo.backplane.com> from Matthew Dillon at "Jan 21, 2000 10:46:55 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
> :I then played around, using the FreeBSD box to launch an
> :attack with the command ./stream 10.255.255.255 0 0 10000.
> :Oh WOW!  The network came to a screaching halt.  An old
> :laptop 100 MHz Pentium laptop stopped responding, and a much
> :newer Windows 98 machine slowed noticably.  The collision
> :light went from an occasional blink to pegged on the
> :network hub. The NT machine took forever to read from the CD
> :ROM on the Win98 machine.  The linux box stopped responding
> :altogether.  No machine crashed.  I ran the attack for 30
> :minutes.  As soon as the attack was terminated, all boxes
> :returned to normal activity.
> :
> :(On interesting side note.  The Redhat machine would not let
> :me attempt a stream attack with 10.255.255.255.  It would
> :only return a socket: permission denied error.)
> :
> :*==============================================*
> :*Gene Harris      http://www.tetronsoftware.com*
> 
>     Yes, this is called a broadcast attack.  One of the most important
>     rule sets you should have in your border router is to filter out
>     any external packets sent to your internal broadcast address, so
>     people outside your network can't saturate it with internal machine
>     responses.
> 
>     IRC hackers often use open broadcast addresses to mount attacks on
>     third parties.

And people wonder how we get to 300 and 400 rule filter sets :-).  We are
now just over 100 rules just for IP broadcast addresses... and thats only
protecting a very densly subnetted /22 (lots of p2p /30's in it).


-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001220659.WAA60141>