Bugtraq mailing list archives

Re: SmurfLog 1.0

From: solar () FALSE COM (Solar Designer)
Date: Tue, 7 Jul 1998 03:02:50 +0400


Hello,

  SmurfLog 1.0 by Bug Lord. A program to assist logging of smurf attacks.


Nice.., but from a quick look at the source, there're a few problems:

1. Are you sure that reading from a raw ICMP socket strips the IP options
out, and does that on all the operating systems you're trying to support?
(I'm not even sure if there's at least one that does so.) If the packets
were sent directly by the attacker (and not by the smurf amplifiers), it
looks like an attacker might at least avoid detection by sending packets
with IP options to change the offset of ICMP header in the data you get
from the socket. While this doesn't seem to be a problem for detecting
smurf attacks, it probably is a problem if you try to detect direct ping
floods also.

2. The code fails to drop its group privileges, because of the wrong order
of setuid() and setgid() calls. This doesn't look too dangerous in this
case, but still isn't what you meant to code. It's also a bad idea to not
check the return value from syscalls, especially ones like setgid().

3. There're also several "generic" IDS problems in your code, including
things pointed out by SNI in their paper (like the fact that this might
miss packets under heavy load; probably not really important in the smurf
case, but still should be realized), and things I mentioned in my Phrack
53 article (coming "soon", I hope), like the usage of qsort(3) and dynamic
memory allocation being dangerous in such applications. There're obviously
log flood issues also.

Now, why this goes to BugTraq. I would normally reply privately (or even
be too lazy to reply at all), but since there was a port scan detection
patch mentioned on BugTraq recently, which had some similar problems (the
"generic" ones), I thought it's worth pointing people to my little article
(too bad it's not out yet), so that they read it before making such tools.
BTW, the article uses port scans as an example, and discusses all parts of
such a simplified IDS. (Note: I'm not into IDS development, but am tired
of seeing broken tools out there, especially Abacus Sentry, which made me
finally write this. Your SmurfLog is in fact not that bad.;-)

Signed,
Solar Designer

Current thread:

SmurfLog 1.0 Bug Lord (Jul 03)
- Linux kernel filesystem oddities Michal Zalewski (Jul 05)
  - sentry Paul Boehm (Jul 08)
  - Re: Linux kernel filesystem oddities Pavel Kankovsky (Jul 08)
    - Re: Linux kernel filesystem oddities Michal Zalewski (Jul 06)
    - Re: Linux kernel filesystem oddities Pavel Kankovsky (Jul 08)
    - Re: Linux kernel filesystem oddities Jeffrey Hutzelman (Jul 09)
    - dslip package David Kopstain (Jul 09)
    - SLMail 3.0.2421 Stack Overflow... Aleph One (Jul 09)
- Re: SmurfLog 1.0 Solar Designer (Jul 06)
  - Re: SmurfLog 1.0 Bug Lord (Jul 10)
- port 0 scanning Lamont Granquist (Jul 08)
  - Re: port 0 scanning Lamont Granquist (Jul 09)
    - Regarding Mudge's OBP/FORTH root hack (PHRACK53) Jericho Nunn (Jul 10)
    - Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) John W. Temples (Jul 11)
    - Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Casper Dik (Jul 13)
    - Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Gene Spafford (Jul 11)
    - Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Mike Scher (Jul 11)
    - Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Casper Dik (Jul 13)
    - [FWD] Attention: Please update your imapd Raj Singh (Jul 13)

(Thread continues...)