[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: Quick remedy for stream.c]



Is OpenBSD 2.5 or 2.6 effected by this DoS?

Abdul

Brett Glass wrote:
> 
> At 03:44 PM 1/18/2000 , The Tree of Life wrote:
> 
> >I've been informed today by an irc admin that a new exploit is circulating
> >around.  It "sends tcp-established bitstream shit" and makes the "kernel
> >fuck up".
> >
> >It's called stream.c.
> 
> Actually, this affects most TCP stacks, including those in Linux, Solaris,
> and all of the BSDs. Not tested under NT or Windows, but I'll bet it does so
> there as well. The problem seems to stem from a worst-case path through the
> kernel's socket lookup code, followed by the overhead of generating
> a RST.
> 
> A quick bull session on the FreeBSD Security list has produced a workaround
> that works on all of the BSDs and in fact anything that runs IPFilter. I
> asked Darren Reed, author of IPFilter (which now comes with all of the BSDs)
> if it's possible to block the attack using his firewall code, and he says
> it is. Darren writes that the rules are as follows:
> 
> >pass in all
> >block in proto tcp all head 100
> >pass in proto tcp from any to any flags S keep state group 100
> 
> (Change group 100 to something else if you're already using it in your
> firewall rules.)
> 
> He's tested these rules on a Solaris 7 system and they seem to defeat
> the DoS.
> 
> Note that you must be using Darren's IPFilter package for this to work.
> IPFW and some other firewalls do not remember the states of connections;
> they therefore can't detect the "established bistream shit" mentioned
> above.
> 
> I'd recommend that all BSD users add Darren's rules as a first-pass
> fix for the problem. IPFilter also runs on Linux, but doesn't come
> with all distros. To get it, see http://cheops.anu.edu.au/~avalon/
> 
> --Brett Glass

-- 
East Coast Access - Internet Surfing the E.C Way
http://www.eastcoast.co.za
Tel: +27-31-267-0169
Fax: +27-31-267-0168



Visit your host, monkey.org