[Snort-devel] snort core dump with multiples DOS

axel.letourneur at ...1289... axel.letourneur at ...1289...
Wed May 15 09:08:05 EDT 2002

Hi all

I write to the mailling list few days ago, because on a little linux computer
snort crash after received multiple  ping of death.
the computer is pentium 166 Mhz with 64 Mo of RAM and a redhat linux 7.0 with
the last patchs
I use snort 1-8-6 and lipcap 0.7.1

  But I try snort on another computer, with fast  CPU and more memory RAM and
the redhat 7.2 with the last patchs
 snort up to 30 % of CPU usage with flood of ping of death but not crash
However if I flood snort with a modified teardrop attack the CPU use of snort up
to 99,5% and if I flood more with
ping-of-death then snort core dump

I thinks, that arrive only if the computer is overloading ( with the teardrop
attack ) or if it's a little computer's CPU.
it is certainly a BUG in the ping-of-death detection module

I give you the ping-of-death and teardrop code i use
(See attached file: ping-of-death1.c) (See attached file: teardrop.c)

This two programs compile fine on readhat linux 7.2 ( the ping of death use the
spoofed ip adress
with teardrop you must give the spoofed ip adress

I don't try but I think you could use a broadcast ip adresse for the destination
ip of the two DOS

I call this DOS in two terminal by the script
while [ 1 -eq 1 ]
./teardrop X.X.X.X Y.Y.Y.Y

where X.X.X.X is the source ip adresse and Y.Y.Y.Y the destion ip address

while [ 1 -eq 1 ]
./ping-of-death1 X.X.X.X

anyone could you help me



-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping-of-death1.c
Type: application/octet-stream
Size: 7459 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020515/80b59ac4/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: teardrop.c
Type: application/octet-stream
Size: 3976 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020515/80b59ac4/attachment-0001.obj>

More information about the Snort-devel mailing list