On Sun, Aug 30, 1998 at 06:22:26PM -0700, James Snow wrote: > Be aware that this individual used this attack on my machine late last > night, disconnecting all of my users without warning, and certainly > without asking for permission. As before, I apologize for disconnecting those three random IRC sessions, though I don't think that's relevant to this forum. > He also did not, to my knowledge, report this to the FreeBSD team before > posting this here. Yeah, I only Bcc'd security-officerat_private Sorry, prior experience led me to believe that it would take a day or so before the message would be approved... Probably not entirely FreeBSD-specific, anyway. On Sun, Aug 30, 1998 at 07:09:46PM -0700, Diane Bruce wrote: > I hate people who mime their email for the plain text part. OK, I won't sign this one. > Port 6666 is quite commonly used for autoconnect, as well as 31337... > Not really very much that can be done from userland really... I'm told that 5555 is something of a standard these days too. If you can effectively keep /both/ ports unknown, i.e. bind to a random port for outbound server connections and get your uplink to set up a special port (firewalled from portscanners), you'd be in good shape. However, I doubt most people would be willing to go to such trouble, and I think it takes enough additional brainpower to keep it from being exploited much before the patch is released anyway. The offending code seems to be around /usr/src/sys/netinet/tcp_input.c:809 for sockets in SYN_SENT state, and :1138 for sockets in most of the other states. (Looking at 2.2.6-RELEASE: $Id: tcp_input.c,v 1.54.2.7...) On a similar topic, has anyone explored the possibility of injecting routes or doing other evil things with the endlses information that ciscos provide in sh ip bgp nei? Most route-views type places seem to allow it. Tris
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:09 PDT