Bugtraq mailing list archives
Re: netkill - generic remote DoS attack
From: shalunov () ATT COM (stanislav shalunov)
Date: Mon, 24 Apr 2000 11:20:43 -0400
It seems many people have found my explanation too long to be read. This is a shorter summary of what it is not and what it is. ------------------------------------------------------------ Netkill is not a connect() flood. The latter establishes connections and holds them open, making the server to maintain them with a file descriptors associated with them. Netkill is not a SYN flood. The latter doesn't establish any TCP connections, but instead attempts to overwhelm the server with connections in SYN_RCVD state. Netkill is not a network bandwidth flood. The latter attempts to eat all available bandwidth with uninteresting packets. Netkill is not 3wahas. (Thanks to Mixter for pointing out this tool.) The latter behaves in much the same way as a connect() flood, and is simply a bit faster for daemons that do not print banners (HTTP). 3wahas works like netkill in "process saturation" mode against HTTP when (3wahas is) used against services that do print banners (SMTP, FTP, etc.). It never works like netkill in "mbuf exhasution" mode. My analysis of 3wahas sent in response to Mixter's post (don't know if it made it to the list) is incorrect and should be disregarded. ------------------------------------------------------------ Netkill has two variations. In the one I call "mbufs exhaustion" in my original posting, the following happens in a loop: * a connection is established to the target and an HTTP request is sent; * a process on the target accepts the connection; * it reads the request; * it writes some data (up to 16 or 48KB depending on OS) in response; * it closes the file descriptor; * the process that handled the connection now exits or moves on. The net result is that tens of kilobytes of data are held in kernel space, in non-pageable real RAM until the connection (which is in FIN_WAIT_1 state) times out, which takes tens of minutes. This connection is not associated with any file descriptor or any process. The RAM used to hold the data is wasted. When we reach a kernel-imposed limit on RAM utilization for network purposes, or when we fill all RAM if no such limit exists in the kernel, the machine panics or locks down. (Tested against large boxes running Linux and FreeBSD.) The other variation is less severe and more boring and mundane. I call it "process saturation". It lets the processes hang around, thus making this more of a familiar user-space problem and a configuration issue. Which of the scenarios will unfold depends on the size of the requested file (mbufs saturation if it's less than an OS-specific limit). -- stanislav shalunov, WHPD, shalunov () att com 732-576-3252 11:08AM up 190 days, 31 mins, 6 users, load averages: 0.01, 0.02, 0.03 If you think the problem is bad now, just wait until we've solved it. -- Arthur Kasspe
Current thread:
- Re: Buffer Overflow in version .14, (continued)
- Re: Buffer Overflow in version .14 Alan DeKok (Apr 25)
- man-exploit for MANPAGER environment and a comment about the IMAP vuln psychoid () GMX NET (Apr 24)
- Re: man-exploit for MANPAGER environment... Mariusz Woloszyn (Apr 26)
- mtr-0.41 root exploit Przemyslaw Frasunek (Apr 24)
- Re: mtr-0.41 root exploit Kris Kennaway (Apr 24)
- Two Problems in IMP 2 Jose Nazario (Apr 24)
- Re: Two Problems in IMP 2 Ivan E. Moore II (Apr 25)
- Solaris x86 Xsun overflow. Theodor Ragnar Gislason (Apr 24)
- Solaris 7 x86 lp exploit Theodor Ragnar Gislason (Apr 24)
- Re: Solaris 7 x86 lp exploit Laurent LEVIER (Apr 24)
- Re: netkill - generic remote DoS attack stanislav shalunov (Apr 24)
- Solaris 7 x86 lpset exploit. Theodor Ragnar Gislason (Apr 24)
- Re: Solaris 7 x86 lpset exploit. Laurent LEVIER (Apr 24)
- Re: Solaris 7 x86 lpset exploit. Theodor Ragnar Gislason (Apr 25)
- Re: Solaris 7 x86 lpset exploit. Andrew Brown (Apr 26)
- Modifying NT credential and RAZOR's analysis of dvwsrr.dll Iván Arce (Apr 26)
- Re: Solaris 7 x86 lpset exploit. Len Rose (Apr 26)
- Re: Solaris 7 x86 lpset exploit. Eugene Ilchenko (Apr 26)
- Cisco HTTP possible bug: Keith Woodworth (Apr 26)
- Alert: Cart32 secret password backdoor (CISADV000427) Cerberus Security Team (Apr 26)
- Re: Alert: Cart32 secret password backdoor (CISADV000427) Bill Borton (Apr 28)
- Re: Solaris 7 x86 lpset exploit. Laurent LEVIER (Apr 24)