[11715] in bugtraq
Re: Local DoS in FreeBSD
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Sep 7 13:11:27 1999
Mail-Followup-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>,
BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990902155124.M4369@puck.nether.net>
Date: Thu, 2 Sep 1999 15:51:24 -0400
Reply-To: Jared Mauch <jared@PUCK.NETHER.NET>
From: Jared Mauch <jared@PUCK.NETHER.NET>
X-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199909010130.LAA10648@cheops.anu.edu.au>
On Wed, Sep 01, 1999 at 11:30:26AM +1000, Darren Reed wrote:
> In some mail from L. Sassaman, sie said:
> > This was first posted to the FreeBSD security list on the 9th of August,
> > subsequently discussed on freebsd-stable and freebsd-hackers... no one
> > seems to care, even though it is able to lock up 2.2.6, 2.2.8, and 3.2.x
> > machines consistantly. I have also been told that it affects NetBSD and
> > OpenBSD, though I haven't confirmed it.
> >
> > Someone with the know-how care to fix?
>
> Fixing this has been discussed internally, I imagine, by many of the
> affected OS's. The problem is a resource stavation issue - in this
> case mbuf's. Arguably, it shouldn't "lock up", just freeze up anything
> that does networking.
>
> I imagine you could lock up more than just the *BSD's with this program.
I have a network monitoring program that I wrote (sysmon),
and it has what would be called either a bug or feature.
FreeBSD seems to have fixed it, but NetBSD not quite yet,
I open up about 100 some sockets and send pings out, and increase
my receive buffer large enough that these 100 icmp replies can be held
properly to be counted, so I don't decide that a site is down
when it is not.
In older FreeBSD versions, I would lock the system saying
out of mbufs, increase maxusers. No matter how large I
increased maxusers that did not work. There is a similar problem
with NetBSD currently (that I am aware of), but the program runs as root
to take advantage of this. I personally think that it's a bug for
the OS to allow (even the superuser) to allocate too many resources
to the point of hard locking the machine (as that's what would happen
in FreeBSD, and is reported to happen in NetBSD by a reputable person).
I haven't released a fix for my code yet, to not allocate
so many resources (which is what I should do anyways), but it's not
like i'm doing dd if=/dev/zero of=/dev/kmem. There should be limits
on any userland process that allow them to return an error if you
attempt to allocate all the system resources.
- jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
END OF LINE |
