From nobody@FreeBSD.org  Fri Aug 20 22:16:03 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9BF0616A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 20 Aug 2004 22:16:03 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9053343D3F
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 20 Aug 2004 22:16:03 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i7KMG3pI065888
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 20 Aug 2004 22:16:03 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i7KMG30p065887;
	Fri, 20 Aug 2004 22:16:03 GMT
	(envelope-from nobody)
Message-Id: <200408202216.i7KMG30p065887@www.freebsd.org>
Date: Fri, 20 Aug 2004 22:16:03 GMT
From: Jeff Harper <jeff@acmeshells.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ddos attack causes box to crash on kernel 5.2.1
X-Send-Pr-Version: www-2.3

>Number:         70747
>Category:       i386
>Synopsis:       ddos attack causes box to crash on kernel 5.2.1
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-i386
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 20 22:20:16 GMT 2004
>Closed-Date:    Mon Jul 16 12:55:34 GMT 2007
>Last-Modified:  Mon Jul 16 12:55:34 GMT 2007
>Originator:     Jeff Harper
>Release:        5.2.1
>Organization:
AcmeShells
>Environment:
FreeBSD monarch.acmeshells.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #2: Fri Aug 20 12:41:46 MST 2004     jeff@monarch.acmeshells.com:/usr/src/sys/i386/compile/MONARCH  i386
>Description:
      When someone issues an attack to the machine the machine ends up crashing, only rebooting will bring it back to life.

logs of attack:

15:51:48.648519 66.235.193.71.2940 > 69.28.170.151.53:  12337 op6$ [b2&3=0x3233] [13879a] [13365q] [14393n] [16706au][|domain]
15:51:48.648525 66.235.193.71.2940 > 69.28.170.151.53:  12337 op6$ [b2&3=0x3233] [13879a] [13365q] [14393n] [16706au][|domain]
15:51:48.648533 66.235.193.71.2940 > 69.28.170.151.53:  12337 op6$ [b2&3=0x3233] [13879a] [13365q] [14393n] [16706au][|domain]



they send about 200,000 of this to port 53 and bam the box crashes, this is plain install with ipfw enabled, ipfw has port 53 blocked on that ip and it still does not help.
>How-To-Repeat:
      someone would have to attack the ip using whatever method they are.
>Fix:
      
>Release-Note:
>Audit-Trail:

From: Jeff Harper <jeff@dragonflu.com>
To: freebsd-gnats-submit@FreeBSD.org, jeff@acmeshells.com
Cc:  
Subject: Re: i386/70747: ddos attack causes box to crash on kernel 5.2.1
Date: Fri, 20 Aug 2004 20:12:45 -0600

 My appologies, this is a udp attack, only way to stop it is to block all 
 udps to the box, however shouldn't have to block every udp to the box.
 
State-Changed-From-To: open->feedback 
State-Changed-By: gavin 
State-Changed-When: Mon Jun 11 18:19:48 UTC 2007 
State-Changed-Why:  

To submitter:  I wonder if you are able to recreate this on a more 
recent version of FreeBSD?  If so, can you explain exactly what 
you mean by "crashes"?  Does the machine hang hard or reboot?  Do 
you get any messages on the console? 
Also, you mention that you are using ipfw.  Do you have any unusual 
rules in your firewall, especially ones that look at user/group 
information? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=70747 
State-Changed-From-To: feedback->closed 
State-Changed-By: gavin 
State-Changed-When: Mon Jul 16 12:55:06 UTC 2007 
State-Changed-Why:  
Feedback timeout (> 1 month) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=70747 
>Unformatted:
