Re: Denial of Service Attacks INFO

Fred Cohen (fc@all.net)
Thu, 23 May 1996 16:13:26 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Philip Guenther: "Re: [linux-security] Things NOT to put in root's crontab"
Previous message: Squidge: "Re: [linux-security] Things NOT to put in root's crontab [via"
In reply to: Matthew Harding: "Re: Denial of Service Attacks INFO"
Next in thread: martinh@mailhost.emap.co.uk: "Is _your_ Netscape under remote control"
Next in thread: Robert J. Reschly Jr.: "Re: Denial of Service Attacks INFO"

> Matthew (matt@ott.opcom.ca) wrote:
...
> On a similar note, a more practical example is this
> condition will occur if any NFS request (mount, getattr, etc.
> etc.) has the source IP field set to 127.0.0.1. This can
> happen in certain circumstances - I believe there is a patch
> for HP/UX 9.x under certain platforms that prevents this
> specific condition from occurring. (Any HP that mounts a
> SunOS 4.1.x server could cause it to crash merely by mounting
> it!).
>
> If anyone is feeling frisky, start playing with a SunOS box
> and try injecting spurious IP packets onto the wire... since
> SunOS doesn't have the nifty DLPI interface that Solaris has,
> it is probably susceptible to many, many similar attacks
> using the standard IP stack.

Indeed, ipsend tests crash many boxes at this time, and that's just
using standard off-the shelf tests.

The way to stop many of these classes of attacks from over the Internet
is to follow the recommendations in "Eliminating IP Address Forgery"
(available at http://all.net/ under the Info-Sec Super Journal in
"Network Security") - however, these techniques will not stop them all.
For example:

UDP
>From: victim-1
To: victim-2
>From port: 7
To port: 11

When each is a legitimate address will cause such a loop.  Since each is
a legitimate address and each is on a different service port, even some
fairly sophistocated router-based defenses fail.  Good advice is to turn
off all UDP services that don't have strict format requirements.

-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 330-686-0090 - PO Box 1480, Hudson, OH 44236

Next message: Philip Guenther: "Re: [linux-security] Things NOT to put in root's crontab"
Previous message: Squidge: "Re: [linux-security] Things NOT to put in root's crontab [via"
In reply to: Matthew Harding: "Re: Denial of Service Attacks INFO"
Next in thread: martinh@mailhost.emap.co.uk: "Is _your_ Netscape under remote control"
Next in thread: Robert J. Reschly Jr.: "Re: Denial of Service Attacks INFO"