Re: updated Bindview NAPTHA advisory

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

On Mon, 18 Dec 2000, Bob Keyes wrote:

> A set of network DoS vulnerabilities has been discovered, and the name
> NAPTHA is being used to describe them as a group. The NAPTHA
> vulnerabilities are weaknesses in the way that TCP/IP stacks and
> network applications handle the state of a TCP connection.

Do not get me wrong, but we've seen TCP packet spoofers long time ago. It
is not difficult (a few lines in C!) to spoof SYN packet, intercept
response and send SYN+ACK response without actually involving system
network layer and system resources. I am aware of such software for long
years, and most of the security people should be aware, as well. I would
say more - in modern system, it isn't especially resource-consuming to
establish, let's say, 1000 connections to remote service using system
networking layer, as well (Linux 2.4 should handle it with no problems
within one process!). I wouldn't call "Naptha" innovative, and I do not
extactly get what is that hype about?

>   Microsoft        Windows           No

Oh, does MS Windows 2000 implement some special kind of networking stack
which doesn't respect TCP/IP networking fundamentals, thus being not
vulnerable to such attacks at all? Or is there some kind of workaround? If
so, I could say Linux (and numerous other systems) are not vulnerable as
well. Just limit number of spawned child processes of listener process to
minimize risk. Kernel-space mechanism will help you.

--
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=