Re: [grsec] Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service

• Previous message: Andrew Morton: "Re: [pagevec] resize pagevec to O(lg(NR_CPUS))"
• In reply to: Wolfpaw - Dale Corse: "Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service"
• Next in thread: Wolfpaw - Dale Corse: "RE: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date:	Sun, 12 Sep 2004 02:47:10 -0500
To: Wolfpaw - Dale Corse <admin-lists@wolfpaw.net>

Wolfpaw - Dale Corse wrote:

>Greetings,
>
> My apologies if this is to the wrong place - it happens to be the
>first kernel bug I have found (or what appears to be one), and I'm
>not entirely sure how to properly inform the Linux community about
>it.
>
>Anyway - on to the bug :)
>==========================
>Severity: HIGH
>Title: KERNEL: TCP Local (probable remote) Denial of Service
>Date: September 11, 2004
>
>

Actually, it seems that the sockets that are not closing properly are
the ones opened by your proof of concept code, *NOT* the server. The
servers (mysql and Apache), close their sockets properly. I could verify
this over a network. Locally, I got

tcp 0 0 192.168.53.2:41440 192.168.53.1:3306
TIME_WAIT
tcp 0 0 192.168.53.2:41442 192.168.53.1:3306
TIME_WAIT
tcp 0 0 192.168.53.2:41443 192.168.53.1:3306
TIME_WAIT
tcp 0 0 192.168.53.2:41452 192.168.53.1:3306
TIME_WAIT
tcp 0 0 192.168.53.2:41468 192.168.53.1:80
TIME_WAIT
tcp 0 0 192.168.53.2:41441 192.168.53.1:80
TIME_WAIT
tcp 0 0 192.168.53.2:41447 192.168.53.1:80
TIME_WAIT
tcp 0 0 192.168.53.2:41444 192.168.53.1:80 TIME

etc..

But on the server, only 1 or two ESTABISHED entries, nothing more.

I don't see much of a DOS, except maybe to DOS a localhost. And you can
do that already.

>The socket table looks like this while it is going on:
>
>http://www.ancients.org/LG.txt
>(it is 29,000+ lines, so I didn't put it here)
>
>

-- 
Building your applications one byte at a time
http://www.galacticasoftware.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

• Previous message: Andrew Morton: "Re: [pagevec] resize pagevec to O(lg(NR_CPUS))"
• In reply to: Wolfpaw - Dale Corse: "Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service"
• Next in thread: Wolfpaw - Dale Corse: "RE: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: TCP/IP comms problems between WinXP and DOS ... I have written client and server versions ... In the instance where I have a problem the DOS system is running as client, ... By simple changing of i/p addresses / network names I have run the client ... (microsoft.public.dotnet.languages.vc) Re: DOS Printing from Windows Server 2003 TS? ... STAT-NT03 is the TS server name. ... We will see if it works for the 5 remote users over the Internet. ... We have a customer who is still using and old DOS version of software ... could not find anything except a Kixstart script. ... (microsoft.public.windows.terminal_services) RE: DOS ATTACK ... Subject: DOS ATTACK ... server which I guess is your problem. ... block traffic based on referrer. ... (Incidents) Re: Ports that are open on a Server ... The server is not an internet server, ... mail server already behind a firewall. ... The DoS that I ... (microsoft.public.win2000.security) Re: Ghosting clients ... can you post the netcard settings from the DOS config files. ... It also handed out a Primary DNS server. ... what does the network information look like on the DOS machine under DOS? ... (microsoft.public.windows.server.general)