Bugtraq mailing list archives
Re: Quick remedy for stream.c
From: dfrasnel () DOXX NET (Frasnelli, Dan)
Date: Fri, 21 Jan 2000 11:52:42 -0800
Planned to reserve my comments until after the code went public, but since everyone is discussing it now....
A quick bull session on the FreeBSD Security list has produced a workaround that works on all of the BSDs and in fact anything that runs IPFilter. I asked Darren Reed, author of IPFilter (which now comes with all of the BSDs) if it's possible to block the attack using his firewall code, and he says it is. Darren writes that the rules are as follows:
The only fix you should need with a FreeBSD 3.x (and 4.x?) system is the option "ICMP_BANDLIM" in your config file. In my tests against a target on the same switch running 3.4RC (-stable), this option proved effective. Granted you fill up the message buffer as the system responds, but that's a minor effect. Tested BSD/OS 4.0.1, Solaris 2.6/sparc and Linux 2.2.14 (homebrew distr); none were using filter nor firewall packages, none were affected negatively. Not to imply stream.c does not affect _some_ configuration (ie. out-of-box) of the tested operating systems... just that I was unable to duplicate the supposed DoS.
He's tested these rules on a Solaris 7 system and they seem to defeat the DoS.
Has anyone actually tested this against Solaris, or is it just assumed to be vulnerable? I hammered a Solaris 2.6/sparc box (SS20, pl 105181-05) over a 100Mb crossover for a solid 15 minutes without noticable effect to established or newly-established sessions. Verified the packets were being sent from both the attack and target ends - at the specified rate. I wonder if we're working with the same 'stream.c' ;-) Regards, -- Dan Frasnelli Security analyst
Current thread:
- Quick remedy for stream.c Brett Glass (Jan 20)
- Re: Quick remedy for stream.c Frasnelli, Dan (Jan 21)
- Re: Quick remedy for stream.c bella (Jan 21)
- RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition Arne Vidstrom (Jan 21)
- Re: RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition Andy Polyakov (Jan 24)