[18223] in bugtraq
Re: updated Bindview NAPTHA advisory
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Wed Dec 20 16:35:27 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.30.0012200153270.13602-100000@dione.ids.pl>
Date: Wed, 20 Dec 2000 02:01:22 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Bob Keyes <bkeyes@MAIL.BOS.BINDVIEW.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.05.10012181702340.92068-100000@mail.bos.bindview.com>
On Mon, 18 Dec 2000, Bob Keyes wrote:
> A set of network DoS vulnerabilities has been discovered, and the name
> NAPTHA is being used to describe them as a group. The NAPTHA
> vulnerabilities are weaknesses in the way that TCP/IP stacks and
> network applications handle the state of a TCP connection.
Do not get me wrong, but we've seen TCP packet spoofers long time ago. It
is not difficult (a few lines in C!) to spoof SYN packet, intercept
response and send SYN+ACK response without actually involving system
network layer and system resources. I am aware of such software for long
years, and most of the security people should be aware, as well. I would
say more - in modern system, it isn't especially resource-consuming to
establish, let's say, 1000 connections to remote service using system
networking layer, as well (Linux 2.4 should handle it with no problems
within one process!). I wouldn't call "Naptha" innovative, and I do not
extactly get what is that hype about?
> Microsoft Windows No
Oh, does MS Windows 2000 implement some special kind of networking stack
which doesn't respect TCP/IP networking fundamentals, thus being not
vulnerable to such attacks at all? Or is there some kind of workaround? If
so, I could say Linux (and numerous other systems) are not vulnerable as
well. Just limit number of spawned child processes of listener process to
minimize risk. Kernel-space mechanism will help you.
--
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
