=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Пт, 21 янв 2000  00:09:45

   От: jamiE rishaw - master e*tard <jamiE@arpa.com>

 Кому: Tom <tom@uniserve.com>

 Тема: Re: bugtraq posts:  stream.c - new FreeBSD exploit?

--------------------------------------------------------------------------------




I have a copy of this, which I am not giving out.  I will probably

fire one off to jkh for sanity, but this looks like a really tough one

to handle.



The program basically fires off *loads* of pkts/sec of ACK at the victim

host.. random source, blah blah.



The problem is, the kernel already (from my understanding) drops bad ACKs

pretty quickly.  The thing is, tho, that it's kernel bound.. which means

CPU.. so unless you have tons of extra CPU to spare, this attack will

take your system to a "pause" until the attacker ceases.



The only way to trace this attack is same as a SYN or smurf attack: to

reverse flow "trace", which requires experienced backbone engineers and

cooperation of sometimes multiple providers.



I duno.  We'll see.



-jamie



On Thu, Jan 20, 2000 at 12:34:45PM -0800, Tom wrote:

> 

> On Thu, 20 Jan 2000, Mike Tancsa wrote:

> 

> > Can anyone confirm the bugtraq posting ?  Are the freebsd folks working on

> > a fix ? If so, what versions are effected ?

> > 

> >     ---Mike

> > 

> > >The only log that he could provide was this one:

> > >

> > >---snip---

> > >

> > >syslog:Jan 18 12:30:36 x kernel: Kernel panic: Free list empty

> > >

> > >---snip---

> > >

> > >One thing of note:  he also stated this happened on non-freebsd systems,

> > >which is contrary to what the other person said, who was "under the

> > >impression it was freebsd specific."

> > >

> > >I have the source, which I'm not going to post for 2-3 days (give time for

> > >fbsd to work on the fix).  If it isn't out before the 21st, I'll post it up.

> 

> 

>   Uhh.. there isn't enough information here to determine anything.

> 

> 

> > ------------------------------------------------------------------------

> > Mike Tancsa,                                          tel +1 519 651 3400

> > Network Administrator,                        mike@sentex.net

> > Sentex Communications                                 www.sentex.net

> > Cambridge, Ontario Canada

> 

> 

> Tom

> Uniserve

> 

> 

> 

> To Unsubscribe: send mail to majordomo@FreeBSD.org

> with "unsubscribe freebsd-security" in the body of the message



-- 

i am jamie at arpa dot com                       this is a no plur zone.



                        "silly raver, k is for cats!"





To Unsubscribe: send mail to majordomo@FreeBSD.org

with "unsubscribe freebsd-security" in the body of the message