Bugtraq mailing list archives
Re: updated Bindview NAPTHA advisory
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Wed, 20 Dec 2000 02:01:22 +0100
On Mon, 18 Dec 2000, Bob Keyes wrote:
A set of network DoS vulnerabilities has been discovered, and the name NAPTHA is being used to describe them as a group. The NAPTHA vulnerabilities are weaknesses in the way that TCP/IP stacks and network applications handle the state of a TCP connection.
Do not get me wrong, but we've seen TCP packet spoofers long time ago. It is not difficult (a few lines in C!) to spoof SYN packet, intercept response and send SYN+ACK response without actually involving system network layer and system resources. I am aware of such software for long years, and most of the security people should be aware, as well. I would say more - in modern system, it isn't especially resource-consuming to establish, let's say, 1000 connections to remote service using system networking layer, as well (Linux 2.4 should handle it with no problems within one process!). I wouldn't call "Naptha" innovative, and I do not extactly get what is that hype about?
Microsoft Windows No
Oh, does MS Windows 2000 implement some special kind of networking stack which doesn't respect TCP/IP networking fundamentals, thus being not vulnerable to such attacks at all? Or is there some kind of workaround? If so, I could say Linux (and numerous other systems) are not vulnerable as well. Just limit number of spawned child processes of listener process to minimize risk. Kernel-space mechanism will help you. -- _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- updated Bindview NAPTHA advisory Bob Keyes (Dec 19)
- Re: updated Bindview NAPTHA advisory Alfred Perlstein (Dec 20)
- Re: updated Bindview NAPTHA advisory Bob Keyes (Dec 20)
- Re: updated Bindview NAPTHA advisory Michal Zalewski (Dec 20)
- Re: updated Bindview NAPTHA advisory stanislav shalunov (Dec 20)
- Re: updated Bindview NAPTHA advisory Alfred Perlstein (Dec 20)