Planned to reserve my comments until after the code went public, but since everyone is discussing it now.... > A quick bull session on the FreeBSD Security list has produced a workaround > that works on all of the BSDs and in fact anything that runs IPFilter. I > asked Darren Reed, author of IPFilter (which now comes with all of the BSDs) > if it's possible to block the attack using his firewall code, and he says > it is. Darren writes that the rules are as follows: The only fix you should need with a FreeBSD 3.x (and 4.x?) system is the option "ICMP_BANDLIM" in your config file. In my tests against a target on the same switch running 3.4RC (-stable), this option proved effective. Granted you fill up the message buffer as the system responds, but that's a minor effect. Tested BSD/OS 4.0.1, Solaris 2.6/sparc and Linux 2.2.14 (homebrew distr); none were using filter nor firewall packages, none were affected negatively. Not to imply stream.c does not affect _some_ configuration (ie. out-of-box) of the tested operating systems... just that I was unable to duplicate the supposed DoS. > He's tested these rules on a Solaris 7 system and they seem to defeat > the DoS. Has anyone actually tested this against Solaris, or is it just assumed to be vulnerable? I hammered a Solaris 2.6/sparc box (SS20, pl 105181-05) over a 100Mb crossover for a solid 15 minutes without noticable effect to established or newly-established sessions. Verified the packets were being sent from both the attack and target ends - at the specified rate. I wonder if we're working with the same 'stream.c' ;-) Regards, -- Dan Frasnelli Security analyst
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:49 PDT