> Matthew (matt@ott.opcom.ca) wrote: ... > On a similar note, a more practical example is this > condition will occur if any NFS request (mount, getattr, etc. > etc.) has the source IP field set to 127.0.0.1. This can > happen in certain circumstances - I believe there is a patch > for HP/UX 9.x under certain platforms that prevents this > specific condition from occurring. (Any HP that mounts a > SunOS 4.1.x server could cause it to crash merely by mounting > it!). > > If anyone is feeling frisky, start playing with a SunOS box > and try injecting spurious IP packets onto the wire... since > SunOS doesn't have the nifty DLPI interface that Solaris has, > it is probably susceptible to many, many similar attacks > using the standard IP stack. Indeed, ipsend tests crash many boxes at this time, and that's just using standard off-the shelf tests. The way to stop many of these classes of attacks from over the Internet is to follow the recommendations in "Eliminating IP Address Forgery" (available at http://all.net/ under the Info-Sec Super Journal in "Network Security") - however, these techniques will not stop them all. For example: UDP >From: victim-1 To: victim-2 >From port: 7 To port: 11 When each is a legitimate address will cause such a loop. Since each is a legitimate address and each is on a different service port, even some fairly sophistocated router-based defenses fail. Good advice is to turn off all UDP services that don't have strict format requirements. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 330-686-0090 - PO Box 1480, Hudson, OH 44236