Re: (local?) linux DoS using nmap

[Ken Williams <jkwilli2 () unity ncsu edu>]

On Thu, 3 Jun 1999, cami wrote:

> Date: Thu, 3 Jun 1999 17:16:48 +0200
> From: cami <cami () dockside co za>
> To: nmap-hackers () insecure org
> Subject: Re: (local?) linux DoS using nmap
>
> > What kernel version are you running, and do you have SYN Cookies enabled
>
> 2.2.5
>
> > only ftp is affected;
>
> Sadly i'd have to say you are incorrect.
> To spice up the attack.. try something like this..
>
> kernel:~$ nmap 127.0.[0-255].[0-255] -sT
>
> And what do u get? all services go bye-bye.
>
> > I assume it will recover after some time.
>
> Unfortuately, wrong again. I sat waiting for
> my services to come around with no luck.
>
> > so now we have not only disabled ssh.
> > it got to scanning 127.0.5.* the load
> > went right down to 10. and ssh was
> > running again. 
>
> Very true, sshd seems to struggle but does
> indeed come back up (although with much
> difficulty.)
>
> I've managed to code a little tool that "locks"
> up sshd remotely rendering it useless.
> (along with basically any other daemon
>  running on a linux machine)
>
> btw.. just out of interests sake, i'm running
> Slackware 4.0.0 with syn cookies enabled
> on a pII 350 and 128m ram.
>
> Please also take note i've tested this against
> every version of linux i can get my hands on
> and it _does_ work on all distributions.
>
> Anyone run this against any FreeBSD machines
> etc..?

no effect at all on services or load for the following:

FreeBSD 2.2.8-STABLE
FreeBSD 3.1-RELEASE
FreeBSD 3.2-STABLE
FreeBSD 4.0-CURRENT
SunOS 5.5.1 sun4u sparc
SunOS 5.6 sun4u sparc
SunOS 5.7 sun4u sparc
SunOS 5.7 x86

-- ken

> Regards
> hotmetal of (src)
> hotmetal () hack co za
>
> (      www.hack.co.za        )
> (e x p l o i t    m a t r i x)
> (world domination in progress)