At 03:44 PM 1/18/2000 , The Tree of Life wrote: >I've been informed today by an irc admin that a new exploit is circulating >around. It "sends tcp-established bitstream shit" and makes the "kernel >fuck up". > >It's called stream.c. Actually, this affects most TCP stacks, including those in Linux, Solaris, and all of the BSDs. Not tested under NT or Windows, but I'll bet it does so there as well. The problem seems to stem from a worst-case path through the kernel's socket lookup code, followed by the overhead of generating a RST. A quick bull session on the FreeBSD Security list has produced a workaround that works on all of the BSDs and in fact anything that runs IPFilter. I asked Darren Reed, author of IPFilter (which now comes with all of the BSDs) if it's possible to block the attack using his firewall code, and he says it is. Darren writes that the rules are as follows: >pass in all >block in proto tcp all head 100 >pass in proto tcp from any to any flags S keep state group 100 (Change group 100 to something else if you're already using it in your firewall rules.) He's tested these rules on a Solaris 7 system and they seem to defeat the DoS. Note that you must be using Darren's IPFilter package for this to work. IPFW and some other firewalls do not remember the states of connections; they therefore can't detect the "established bistream shit" mentioned above. I'd recommend that all BSD users add Darren's rules as a first-pass fix for the problem. IPFilter also runs on Linux, but doesn't come with all distros. To get it, see http://cheops.anu.edu.au/~avalon/ --Brett Glass
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:29 PDT