i386/70747: ddos attack causes box to crash on kernel 5.2.1

Jeff Harper jeff at acmeshells.com
Fri Aug 20 15:20:17 PDT 2004


>Number:         70747
>Category:       i386
>Synopsis:       ddos attack causes box to crash on kernel 5.2.1
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 20 22:20:16 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Jeff Harper
>Release:        5.2.1
>Organization:
AcmeShells
>Environment:
FreeBSD monarch.acmeshells.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #2: Fri Aug 20 12:41:46 MST 2004     jeff at monarch.acmeshells.com:/usr/src/sys/i386/compile/MONARCH  i386
>Description:
      When someone issues an attack to the machine the machine ends up crashing, only rebooting will bring it back to life.

logs of attack:

15:51:48.648519 66.235.193.71.2940 > 69.28.170.151.53:  12337 op6$ [b2&3=0x3233] [13879a] [13365q] [14393n] [16706au][|domain]
15:51:48.648525 66.235.193.71.2940 > 69.28.170.151.53:  12337 op6$ [b2&3=0x3233] [13879a] [13365q] [14393n] [16706au][|domain]
15:51:48.648533 66.235.193.71.2940 > 69.28.170.151.53:  12337 op6$ [b2&3=0x3233] [13879a] [13365q] [14393n] [16706au][|domain]



they send about 200,000 of this to port 53 and bam the box crashes, this is plain install with ipfw enabled, ipfw has port 53 blocked on that ip and it still does not help.
>How-To-Repeat:
      someone would have to attack the ip using whatever method they are.
>Fix:
      
>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-i386 mailing list