Bugtraq mailing list archives
Quick remedy for stream.c
From: brett () LARIAT ORG (Brett Glass)
Date: Thu, 20 Jan 2000 20:01:33 -0700
At 03:44 PM 1/18/2000 , The Tree of Life wrote:
I've been informed today by an irc admin that a new exploit is circulating around. It "sends tcp-established bitstream shit" and makes the "kernel fuck up". It's called stream.c.
Actually, this affects most TCP stacks, including those in Linux, Solaris, and all of the BSDs. Not tested under NT or Windows, but I'll bet it does so there as well. The problem seems to stem from a worst-case path through the kernel's socket lookup code, followed by the overhead of generating a RST. A quick bull session on the FreeBSD Security list has produced a workaround that works on all of the BSDs and in fact anything that runs IPFilter. I asked Darren Reed, author of IPFilter (which now comes with all of the BSDs) if it's possible to block the attack using his firewall code, and he says it is. Darren writes that the rules are as follows:
pass in all block in proto tcp all head 100 pass in proto tcp from any to any flags S keep state group 100
(Change group 100 to something else if you're already using it in your firewall rules.) He's tested these rules on a Solaris 7 system and they seem to defeat the DoS. Note that you must be using Darren's IPFilter package for this to work. IPFW and some other firewalls do not remember the states of connections; they therefore can't detect the "established bistream shit" mentioned above. I'd recommend that all BSD users add Darren's rules as a first-pass fix for the problem. IPFilter also runs on Linux, but doesn't come with all distros. To get it, see http://cheops.anu.edu.au/~avalon/ --Brett Glass
Current thread:
- Quick remedy for stream.c Brett Glass (Jan 20)
- Re: Quick remedy for stream.c Frasnelli, Dan (Jan 21)
- Re: Quick remedy for stream.c bella (Jan 21)
- RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition Arne Vidstrom (Jan 21)
- Re: RDISK registry enumeration file vulnerability in Windows NT 4.0 Terminal Server Edition Andy Polyakov (Jan 24)