MediumRealSecure Server Sensor, BlackICE Agent for Server, RealSecure Desktop Protector, RealSecure Guard, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, RealSecure Sentry, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, Proventia-G 1.1 and earlier:
This signature detects an unusually high volume of TCP packets with the ACK flag set being sent to a host on the network. This signature only considers ACK packets that are not associated with an active connection. These conditions are highly indicative of a stream denial of service attack.
Based on parameters configured in the Policy Editor, this signature triggers when a specified number of ACK packets are sent to a single destination without a reply being sent by the target host. If a reply is seen from the target host, the outstanding ACK count is reset to zero.
For more information about changing the configurable parameters of a signature, see Changing Advanced Properties.
This signature detects an unusually high volume of TCP packets with the ACK flag set being sent to a host on the network. This signature only considers ACK packets that are not associated with an active connection. These conditions are highly indicative of a stream denial of service attack.
Based on parameters configured in the Policy Editor, this signature triggers when a specified number of ACK packets are sent to a single destination without a reply being sent by the target host. If a reply is seen from the target host, the outstanding ACK count is reset to zero.
For more information about changing the configurable parameters of a signature, see Changing Advanced Properties.
Medium
RealSecure Server Sensor: 7.0, BlackICE Agent for Server: 3.6, RealSecure Desktop Protector: 3.6, RealSecure Guard: 3.6, Proventia Network MFS: 1.0, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, RealSecure Sentry: 3.6, BlackICE PC Protection: 3.6.cbd, BlackICE Server Protection: 3.6.cbd, RealSecure Network: 7.0, RealSecure Network: 5.0, Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, Proventia-G 1.1 and earlier: G Series
Various vendors Any application
Denial of Service
The stream.c attack is a denial of service attack designed to crash a vulnerable system by sending a flood of spoofed TCP packets with the ACK flag set to random destination ports on the host. This can cause certain versions of FreeBSD and possibly other systems to kernel panic and crash. This attack is also used in the mstream distributed denial of service tool.
Upgrade to the latest version of FreeBSD (4.3 or later). Other systems are not at much risk unless this attack is part of a distributed denial of service (DDoS) attack, such as mstream. See References.
BugTraq Mailing List, Thu Jan 20 2000 - 21:01:33 CST
Quick remedy for stream.c
http://archives.neohapsis.com/archives/bugtraq/2000-01/0285.html
Internet Security Systems Security Alert #48
"mstream" Distributed Denial of Service Tool
http://www.iss.net/xforce/alerts/id/advise48
BugTraq Mailing List, Fri Jan 21 2000 - 11:25:26 CST
explanation and code for stream.c issues
http://archives.neohapsis.com/archives/bugtraq/2000-01/0283.html
ISS X-Force
Stream.c denial of service
http://www.iss.net/security_center/static/4485.php