[21919] in bugtraq
Re: UDP packet handling weird behaviour of various operating systems
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Fri Jul 27 01:38:44 2001
Date: Thu, 26 Jul 2001 21:30:01 -0400 (EDT)
From: Michal Zalewski <lcamtuf@gis.net>
To: Cade Cairns <cairnsc@securityfocus.com>
Cc: Stefan Laudat <stefan@mail.allianztiriac.ro>, bugtraq@securityfocus.com
In-Reply-To: <Pine.GSO.4.30.0107261637260.29142-100000@mail>
Message-ID: <Pine.LNX.4.21.0107262125470.747-100000@nimue.bos.bindview.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 26 Jul 2001, Cade Cairns wrote:
> After Stefan made his post to Bugtraq, I performed a few tests on
> machines running Linux 2.2.14 and Linux 2.4.0. I wrote a simple test
> program to send a large number of small messages to an arbitrary
> serviceless port on the target machines. I was able to reproduce the
> problem on a slower (400mhz) machine running 2.4.0, it virtually
> stopped responding until the flood ended.
Try the same via loopback device - should not work. I believe this is not
Linux kernel UDP handling problem. It might be, as suggested, but
something between hardware and software, instead (like "IRQ congestion"),
and probably should work for everything - TCP, ICMP? Of course I can be
wrong - all I say is that I was not able to reproduce this behavior in my
test network, maybe because it is 10 Mbit, and can't see any special
reason why UDP attack should be more successful than any other...
--
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
