Bugtraq mailing list archives
Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Vulnerability
From: Jonathan Rickman <jonathan () XCORPS NET>
Date: Thu, 31 Aug 2000 20:37:19 -0400
Attack Platform: PII 366 / 64mb RAM / Xircom CEM 56-100 / X-over Cable Victims Crashed: AMD K6 300mhz / 64mb RAM / Xircom CEM 56-100 / approx 45 seconds P200mmx / 96mb / 3C905B-TX / 3 minutes 33 seconds Survived: PIII 500mhz / 256mb RAM / Some kind of Intel card? (built in) PII 400mhz / 64mb RAM / 3C905B-TX
From what I've seen with my own eyes, this appears to be directly related
to processing power (or lack thereof). It should also be mentioned that the attack platform was at 98% or higher CPU usage during all 4 attacks. The machines that survived were under attack for at least 10 minutes. None of the victim hosts were running anything during the attacks. I have a feeling that the last machine would have crashed had anything else been running on it. So...to quote Marc Maiffret
"While we do not discount the fact that Iris might crash when flooded with thousands of packets, we think it will be rare for any modern system (I.E. Our recommended hardware configuration, 400mhz, 128megs of ram, or better) to be vulnerable to this "bug."
I have to agree... --------------------- Jonathan Rickman X-Corps Security http://www.xcorps.net On Thu, 31 Aug 2000, Elias Levy wrote:
If anyone can reproduce the crash of Iris please let us know. Being able to force a sniffer application from using most of its CPU by flooding the network is an endemic problem of that type of application, although in this case the problem seems like it can easily be mitigate by configuring the app not to display packets graphically which is what is consuming most of the CPU. The real possible vulnerability is the heap overflow that may make Iris to crash. If anyone can verify this claim we'd like to hear from them. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Vulnerability Dino Amato (Aug 31)
- Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Vulnerability Marc Maiffret (Sep 01)
- <Possible follow-ups>
- Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Vulnerability Jonathan Rickman (Sep 01)
- Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Vulnerability Michael Davis (Sep 01)
- Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Vulnerability Synnergy (Sep 02)