Re: BoS: Urgent !! Serious Linux Security Bug....

[tgpt () pas rochester edu (Tom Guptill)]

I just wanted to note that some of the diagnoses people are using to track
this problem might be a bit shaky.  For example, if you're not doing your
diagnosis on the console or on a serial terminal, the machine might appear
to be "hung" during the test when in fact you've simply blocked it from
receiving network traffic.  (Not that this isn't a problem, mind you.)
For example:

ping -f -s 64000 sunos4machine
        from my Linux box

rapidly overflows the buffer on my Sun4/110 running 4.1.3_U1.  The machine
recovers, but it's "dead to the network" for the duration of the attack
and for a few moments afterward.  This is *not* the same problem as the
machine halting entirely or rebooting when it is being attacked: if I'm on
the console of the machine, it is still responsive, and while flood
pinging is still a denial of service attack its consequences are far less
serious (an interruption in remote access as opposed to a system crash
possibly resulting in loss of data).  Where possible, it might be handy to
clarify whether the machine suffers an OS-level "hang" (where it doesn't
come back) or a network-level "hang" (where the machine is still up and
running but it isn't talking to the network while the attack is going on.)

As a side note, a system that I used to administer in a previous job is
running a localized version of Linux 1.2.3 has a strange immunity to many
kinds of network attacks:  it's a 386SX16 with a ton of stuff added on
(multiple disk controllers, etc.) and very little RAM.  Whenever it gets
large bursts of network traffic, it starts missing interrupts and
essentially ignoring the network entirely.  The more heavily loaded the
machine is, the more quickly this happens.  Not the most elegant defense
in the world, but an effective one. :)

--
Tom Guptill                         tgpt () pas rochester edu
UNIX SA                             104 B&L RC
Department of Physics and Astronomy, University of Rochester