Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 16 Sep 2009 22:26:46 +0200
From: Willy Tarreau <w@....eu>
To: Marcus Meissner <meissner@...e.de>
Cc: OSS Security List <oss-security@...ts.openwall.com>, security@...nel.org,
        davem@...emloft.net
Subject: Re: [Security] CVE-2008-4609 / Outpost24 TCP issues

Hi Marcus,

On Wed, Sep 16, 2009 at 03:50:56PM +0200, Marcus Meissner wrote:
> Hi folks,
> 
> I get customer queries on whether and how the Linux kernel is affected
> to the CVE-2008-4609 TCP denial of service problems ...
> 
> This seems to a large degree to be a kernel issue.
> Also how are applications involved in the whole picture?
> 
> To my own not so deep knowledge this issue seems to affect us
> even today.
> 
> Has anyone insights to that?

Well, I've just read the PDF from the outpost24 site, and it appears
as TCP for dummies. It basically explains how to create connections
without using connect().

  1) everyone knows how to change ulimit -n + bind() to establish
     hundreds of thousands of connections from a client to a server
     using source IP ranges, without even having to fiddle with raw
     sockets.

  2) I don't see what is new in his stateless SYN/SYN-ACK/ACK method.
     To the best of my knowledge it's been used for ages in network
     testing. I even have a modified Netfilter TARPIT module designed
     to do that to stress network equipments with millions of
     connections when associated with a standard SYN flooder.

I think these guys are just trying once again to get all the lights
on them before revealing trivial things, as it's becoming more and
more common. It's fantastic to see press journalists speculate on
what the isue might be !

So unless they reveal anything serious, right now it looks like
pure fantasy. Or maybe I wasn't able to find relevant information
on the subject :-/

Regards,
Willy

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.