Re: Quick remedy for stream.c

[dfrasnel () DOXX NET (Frasnelli, Dan)]

Planned to reserve my comments until after the code went public, but
since everyone is discussing it now....

> A quick bull session on the FreeBSD Security list has produced a workaround
> that works on all of the BSDs and in fact anything that runs IPFilter. I
> asked Darren Reed, author of IPFilter (which now comes with all of the BSDs)
> if it's possible to block the attack using his firewall code, and he says
> it is. Darren writes that the rules are as follows:

The only fix you should need with a FreeBSD 3.x (and 4.x?) system
is the option "ICMP_BANDLIM" in your config file.  In my tests
against a target on the same switch running 3.4RC (-stable), this
option proved effective.  Granted you fill up the message buffer as the
system responds, but that's a minor effect.  Tested BSD/OS 4.0.1,
Solaris 2.6/sparc and Linux 2.2.14 (homebrew distr); none were using
filter nor firewall packages, none were affected negatively.
Not to imply stream.c does not affect _some_ configuration
(ie. out-of-box) of the tested operating systems... just that I was
unable to duplicate the supposed DoS.

> He's tested these rules on a Solaris 7 system and they seem to defeat
> the DoS.

Has anyone actually tested this against Solaris, or is it just assumed
to be vulnerable? I hammered a Solaris 2.6/sparc box (SS20, pl 105181-05)
over a 100Mb crossover for a solid 15 minutes without noticable effect to
established or newly-established sessions.  Verified the packets were
being sent from both the attack and target ends - at the specified rate.

I wonder if we're working with the same 'stream.c' ;-)

Regards,

--
Dan Frasnelli
Security analyst