From: Willy Tarreau <willy@w.ods.org>
To: Wolfpaw - Dale Corse <admin@wolfpaw.net>
Cc: peter@mysql.com, linux-kernel@vger.kernel.org, netdev@oss.sgi.com
Subject: Re: Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack
Date: Sun, 12 Sep 2004 20:18:43 +0200 [thread overview]
Message-ID: <20040912181843.GA3619@alpha.home.local> (raw)
In-Reply-To: <20040912175946.GA3491@alpha.home.local>
Hi again, Dale,
I forgot to say that you don't need to fear releasing your exploit. I
developped its equivalent 4 years ago to stress-test web servers and
proxies, and if I launch it against victim:23, I get the exact same
result within seconds : a CLOSE_WAIT socket :
attacker> ./connectdata 10.0.3.2 23 200 1
ERROR: connect()=-1, nbconn=134 : Connection refused
ERROR: connect()=-1, nbconn=135 : Connection refused
ERROR: connect()=-1, nbconn=136 : Connection refused
ERROR: connect()=-1, nbconn=137 : Connection refused
The program connects 200 sockets to the same IP:port, and sends the begining
of an HTTP request.
victim> sudo netstat -atnp|grep -v LISTEN
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 17 0 10.0.3.2:23 10.0.3.1:38214 CLOSE_WAIT 1333/inetd
It's even not necessary to send data, then even faster to block my very old
inetd :
attacker> ./connectdata-nb 10.0.3.2 23 200
200 connections established.
Press any key so exit.
This time, it sends 200 non-blocking connect() calls without any data. It
takes a fraction of a second with the same result. Hopefully, it'll will
help Peter and you reproduce the problem faster on mysql.
Both programs have been freely available here for two years ; I didn't think
they would be useful again !
http://w.ods.org/tools/connect/
Regards,
Willy
next prev parent reply other threads:[~2004-09-12 18:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <029201c498d8$dff156f0$0300a8c0@s>
[not found] ` <001c01c498df$8d2cd0f0$0200a8c0@wolf>
2004-09-12 17:59 ` Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified) Denial of Service Attack Willy Tarreau
2004-09-12 17:17 ` Alan Cox
2004-09-12 18:18 ` Willy Tarreau [this message]
[not found] <02b201c498f6$8bb92540$0300a8c0@s>
2004-09-12 18:40 ` Linux 2.4.27 SECURITY BUG - TCP Local and REMOTE(verified)Denial " Wolfpaw - Dale Corse
2004-09-12 18:01 ` Alan Cox
2004-09-12 19:48 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040912181843.GA3619@alpha.home.local \
--to=willy@w.ods.org \
--cc=admin@wolfpaw.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@oss.sgi.com \
--cc=peter@mysql.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).