[26837] in North American Network Operators' Group
Re: New form of packet attack named Stream
daemon@ATHENA.MIT.EDU (Jamie Rishaw)
Thu Jan 20 16:22:14 2000
Date: Thu, 20 Jan 2000 13:08:04 -0800
From: Jamie Rishaw <jamie@dilbert.exodus.net>
To: nanog@merit.edu
Message-ID: <20000120130804.A22328@dilbert.exodus.net>
Reply-To: jamie@exodus.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <20000120125404.A22107@dilbert.exodus.net>
Errors-To: owner-nanog-outgoing@merit.edu
Unless you are
Vixie
Hubbard
Cerf
Donelan
Manning
Bush
Jesus Christ
A major s/w key figure
or comparable entity
.. or someone that knows me IRL, and has for some time .. please do not
e-mail me asking for the code.
Thanks.
-jamie
On Thu, Jan 20, 2000 at 12:54:04PM -0800, Jamie Rishaw wrote:
>
> That's because it's a really nasty attack.
>
> I have a copy.. I've successfully completely taken down every layer-3
> device of my own that I've launched it against.
>
> The attack sends massive ACKs to the victim. The ACKs are dropped at
> the kernel, but it's CPU bound. So unless you have tons of CPU to spare,
> your system will essentially slow to a pause when under this sort of
> attack.
>
> Another icky thing.. Established bit.. A lot of firewalls ass-u-me that
> if a packet is marked established, it's valid and should be passed along.
> This exploit takes advantage of that assumption. I dont know to what
> level firewall software looks at packets (checking headers for sequence
> number, etc), but this one is intelligent.
>
> This is no "groundbreaking" attack.. it's been discussed before of
> how header trickery could do things.. but.. eh.. I dunno. My TCP/IP
> knowledge only goes so far, so I don't have a ton of room to ellaborate.
>
> Regardless..
> A successful distributed attack using this exploit *can* take down major
> parts of the Internet.
>
> Key people at software vendors already have copies of this and are trying
> to work on a fix. I doubt anything real is going to come of it as far
> as a remedy or counter, very soon.
>
> Regards
>
> Jamie Rishaw
>
> On Thu, Jan 20, 2000 at 12:57:39PM -0600, Joe Shaw wrote:
> >
> >
> > I haven't heard of it, so could you please provide some more technical
> > details? I saw nothing on it come across bugtraq or in the archives.
> >
> > --
> > Joseph W. Shaw - jshaw@insync.net
> > Computer Security Consultant and Programmer
> > Free UNIX advocate - "I hack, therefore I am."
> >
> > On Thu, 20 Jan 2000, Henry R. Linneweh wrote:
> >
> > >
> > > anyone have a preventative method for this?
> >
>
> --
> jamie rishaw (efnet:gavroche) -- Exodus Communications, Inc.
> Senior Network Engineer, Los Angeles / SoCal Data Centers
> Corporate association for identification, not representation
--
jamie rishaw (efnet:gavroche) -- Exodus Communications, Inc.
Senior Network Engineer, Los Angeles / SoCal Data Centers
