[Snort-users] Re: OpenBSD IPsec DoS signature

Theo de Raadt deraadt at ...588...
Fri Oct 6 19:06:25 EDT 2000

>A while back I tested out a OpenBSD IPsec DoS for Matt Franz
>and he did a bugtraq advisory for it a week back or so. Testing it
>was kinda unpleasant... soo...
>It was quickly fixed by Theo (<1 day on a weekend nonetheless) but I 

I did not write the fix.  angelos at ...590... did.

>think that it exists in the stock 2.7 systems with IPsec enabled so we should
>have a sig for it... (I'm purposely avoiding the "silent fix" controversy that
>was raised by K2 in bugtraq....  But Theo's somewhat irritated "elite" post had me LOL)
>I wanted to write a sig for it, but testing out which port causes the crash is
>err... painful.  The culprit is an IP packet with an empty payload, has anyone
>nailed down the port to narrower (pref single) value/range? My first guess
>is isakmp/500 but I happen to use OpenBSD for the boxes I like to keep 
>running and count on and I'm not up to more syscrashes just yet...

It is very unlikely to be isakmpd's port.

>Maybe if Theo is still on-line, roaming the streets of Stockholm guerrilla
>surfing on open wavelan ports he finds, he could enlighten us a little about his
>fix... :-) Or if someone else knows or can test with nmap -sO the culprit

I am still doing that, but unfortunately I am running out of battery
since I didn't buy a power adapter yet.  There's very little wavelan
in this part of downtown, but for some reason I get it loud and clear
if I place my laptop at just a certain angle on the hotel room
bed... can't ask for better, I suppose.

More information about the Snort-users mailing list