Re: (local?) linux DoS using nmap

["cami" <cami () dockside co za>]

> What kernel version are you running, and do you have SYN Cookies enabled

2.2.5

> only ftp is affected;

Sadly i'd have to say you are incorrect.
To spice up the attack.. try something like this..

kernel:~$ nmap 127.0.[0-255].[0-255] -sT

And what do u get? all services go bye-bye.

> I assume it will recover after some time.

Unfortuately, wrong again. I sat waiting for
my services to come around with no luck.

> so now we have not only disabled ssh.
> it got to scanning 127.0.5.* the load
> went right down to 10. and ssh was
> running again. 

Very true, sshd seems to struggle but does
indeed come back up (although with much
difficulty.)

I've managed to code a little tool that "locks"
up sshd remotely rendering it useless.
(along with basically any other daemon
 running on a linux machine)

btw.. just out of interests sake, i'm running
Slackware 4.0.0 with syn cookies enabled
on a pII 350 and 128m ram.

Please also take note i've tested this against
every version of linux i can get my hands on
and it _does_ work on all distributions.

Anyone run this against any FreeBSD machines
etc..?

Regards
hotmetal of (src)
hotmetal () hack co za

(      www.hack.co.za        )
(e x p l o i t    m a t r i x)
(world domination in progress)