[Snort-users] OpenBSD IPsec DoS signature

Dragos Ruiu dr at ...381...
Fri Oct 6 18:37:57 EDT 2000


A while back I tested out a OpenBSD IPsec DoS for Matt Franz
and he did a bugtraq advisory for it a week back or so. Testing it
was kinda unpleasant... soo...

It was quickly fixed by Theo (<1 day on a weekend nonetheless) but I 
think that it exists in the stock 2.7 systems with IPsec enabled so we should
have a sig for it... (I'm purposely avoiding the "silent fix" controversy that
was raised by K2 in bugtraq....  But Theo's somewhat irritated "elite" post had 
me LOL)

I wanted to write a sig for it, but testing out which port causes the crash is
err... painful.  The culprit is an IP packet with an empty payload, has anyone
nailed down the port to narrower (pref single) value/range? My first guess
is isakmp/500 but I happen to use OpenBSD for the boxes I like to keep 
running and count on and I'm not up to more syscrashes just yet...

Maybe if Theo is still on-line, roaming the streets of Stockholm guerrilla
surfing on open wavelan ports he finds, he could enlighten us a little about his
fix... :-) Or if someone else knows or can test with nmap -sO the culprit
port....

thanks,
--dr



More information about the Snort-users mailing list