mailing list archives
Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Vulnerability
From: Jonathan Rickman <jonathan () XCORPS NET>
Date: Thu, 31 Aug 2000 20:37:19 -0400
Attack Platform: PII 366 / 64mb RAM / Xircom CEM 56-100 / X-over Cable
AMD K6 300mhz / 64mb RAM / Xircom CEM 56-100 / approx 45 seconds
P200mmx / 96mb / 3C905B-TX / 3 minutes 33 seconds
PIII 500mhz / 256mb RAM / Some kind of Intel card? (built in)
PII 400mhz / 64mb RAM / 3C905B-TX
From what I've seen with my own eyes, this appears to be directly related
to processing power (or lack thereof). It should also be mentioned that
the attack platform was at 98% or higher CPU usage during all 4 attacks.
The machines that survived were under attack for at least 10 minutes. None
of the victim hosts were running anything during the attacks. I have a
feeling that the last machine would have crashed had anything else been
running on it.
So...to quote Marc Maiffret
"While we do not discount the fact that Iris might crash when flooded
with thousands of packets, we think it will be rare for any modern system
(I.E. Our recommended hardware configuration, 400mhz, 128megs of ram, or
better) to be vulnerable to this "bug."
I have to agree...
On Thu, 31 Aug 2000, Elias Levy wrote:
If anyone can reproduce the crash of Iris please let us know. Being able
to force a sniffer application from using most of its CPU by flooding
the network is an endemic problem of that type of application, although
in this case the problem seems like it can easily be mitigate by configuring
the app not to display packets graphically which is what is consuming most
of the CPU.
The real possible vulnerability is the heap overflow that may make Iris to
crash. If anyone can verify this claim we'd like to hear from them.
Si vis pacem, para bellum