Re: stream.c

From: Michael H. Warfield (mhw@wittsend.com)
Date: Sat Jan 22 2000 - 12:12:35 EST


On Sat, Jan 22, 2000 at 10:47:49AM -0600, Brian wrote:

> Does the prospect of coming up with a solution to stop attacks on the
> kernel from stream.c look good? With so many OS's vulnerable, I am sure
> Linux will be one of the first fixed. I don't suppose their is anything
> we can do in the meantime to lessen the effects is there?

        We've been looking over stream.c can't see that there is a problem.
I've had numerous systems under fire from stream.c for hours with barely
a slowup. Alan's unimpressed, I'm unimpressed (I'm the Senior Researcher
for Internet Security Systems). We haven't been able to blow up a single
Linux system using this utility.

        You say "With so many OS's vulnerable". Based on what? The
reports that I saw on BugTraq said that it blows up FreeBSD. There
is a patch out there for FreeBSD.

        We have some indication that it may only be a serious problem with
FreeBSD boxes which are tight on memory. A lightly loaded FreeBSD 4.0 box
with 256Meg of memory did not fail for us after an extensive attack. That's
not surprising, considering that it's a hash table overflow problem and
that box had gobs of memory to throw at the hash table.

        One person objected to calling it a FreeBSD exploit because, he
claimed, he was able to make a Linux box fail. No one has been able to
reproduce that result. The worse we have found is that Linux boxes
seem to slow up a bit worse than OpenBSD boxes (which don't even blink).
I've hit Netware, Windows NT, Windows 2000, and a host (yuck - pun alert)
of others. None died.

        The original report indicated that some people thought that this
was the cause of some recent kernel panics on Goggle.com (which just happens
to run FreeBSD). There have been followup reports that indicated that the
two problems may be unrelated. The jury is still out.

        You got some specifics or are you just going off on unsubstantiated
rumors? If you've got some specific conditions under which you have seen
stream.c (packet length and service would be handy) take out a Linux box
by any means other than clogging a connecting router, I would love to hear
what those conditions are.

> Brian

> -----------------------------------------------------
> Brian Feeny (BF304) signal@shreve.net
> 318-222-2638 x 109 http://www.shreve.net/~signal
> Network Administrator ShreveNet Inc. (ASN 11881)

        Mike

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Jan 23 2000 - 21:00:27 EST