Quick remedy for stream.c

[brett () LARIAT ORG (Brett Glass)]

At 03:44 PM 1/18/2000 , The Tree of Life wrote:

> I've been informed today by an irc admin that a new exploit is circulating
> around.  It "sends tcp-established bitstream shit" and makes the "kernel
> fuck up".
>
> It's called stream.c.

Actually, this affects most TCP stacks, including those in Linux, Solaris,
and all of the BSDs. Not tested under NT or Windows, but I'll bet it does so
there as well. The problem seems to stem from a worst-case path through the
kernel's socket lookup code, followed by the overhead of generating
a RST.

A quick bull session on the FreeBSD Security list has produced a workaround
that works on all of the BSDs and in fact anything that runs IPFilter. I
asked Darren Reed, author of IPFilter (which now comes with all of the BSDs)
if it's possible to block the attack using his firewall code, and he says
it is. Darren writes that the rules are as follows:

> pass in all
> block in proto tcp all head 100
> pass in proto tcp from any to any flags S keep state group 100

(Change group 100 to something else if you're already using it in your
firewall rules.)

He's tested these rules on a Solaris 7 system and they seem to defeat
the DoS.

Note that you must be using Darren's IPFilter package for this to work.
IPFW and some other firewalls do not remember the states of connections;
they therefore can't detect the "established bistream shit" mentioned
above.

I'd recommend that all BSD users add Darren's rules as a first-pass
fix for the problem. IPFilter also runs on Linux, but doesn't come
with all distros. To get it, see http://cheops.anu.edu.au/~avalon/

--Brett Glass