Bugtraq mailing list archives
Re: SmurfLog 1.0
From: buglord () SY NET (Bug Lord)
Date: Fri, 10 Jul 1998 22:17:39 -0400
On Tue, 7 Jul 1998, Solar Designer wrote:
3. There're also several "generic" IDS problems in your code, including things pointed out by SNI in their paper (like the fact that this might miss packets under heavy load; probably not really important in the smurf case, but still should be realized), and things I mentioned in my Phrack 53 article (coming "soon", I hope), like the usage of qsort(3) and dynamic memory allocation being dangerous in such applications. There're obviously log flood issues also.
This is definantly a problem and has been fixed in SmurfLog v1.1 (available at http://www.sy.net/security). I took out dynamic memory allocation entirely and placed a limit on the number of broadcasts that will be logged during an attack. I can't imagine a genuine smurf attack going over 200 /24's, a far cry from the 256 * 256 * 256 = 16,777,216 possible /24's (at 4 bytes each entry an attack of spoofed echo replies could force the logger to hold 64MB of memory under the old system). This also fixes some problems with other platforms and occational segfaults under heavy load, so everyone should upgrade.
Current thread:
- SmurfLog 1.0 Bug Lord (Jul 03)
- Linux kernel filesystem oddities Michal Zalewski (Jul 05)
- sentry Paul Boehm (Jul 08)
- Re: Linux kernel filesystem oddities Pavel Kankovsky (Jul 08)
- Re: Linux kernel filesystem oddities Michal Zalewski (Jul 06)
- Re: Linux kernel filesystem oddities Pavel Kankovsky (Jul 08)
- Re: Linux kernel filesystem oddities Jeffrey Hutzelman (Jul 09)
- dslip package David Kopstain (Jul 09)
- SLMail 3.0.2421 Stack Overflow... Aleph One (Jul 09)
- Linux kernel filesystem oddities Michal Zalewski (Jul 05)
- Re: SmurfLog 1.0 Bug Lord (Jul 10)
- Re: port 0 scanning Lamont Granquist (Jul 09)
- Regarding Mudge's OBP/FORTH root hack (PHRACK53) Jericho Nunn (Jul 10)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) John W. Temples (Jul 11)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Casper Dik (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Gene Spafford (Jul 11)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Mike Scher (Jul 11)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Casper Dik (Jul 13)
- [FWD] Attention: Please update your imapd Raj Singh (Jul 13)