MediumProventia Server IPS for Linux technology, RealSecure Desktop, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Desktop, BlackICE PC Protection, BlackICE Server Protection, RealSecure Sentry, RealSecure Guard, BlackICE Agent for Server, RealSecure Server Sensor, RealSecure Network, Virtual Server Protection for Vmware:
This signature detects an unusually high volume of TCP packets with the ACK flag set being sent to a host on the network. This signature only considers ACK packets that are not associated with an active connection. These conditions are highly indicative of a stream denial of service attack.
Based on parameters configured in the Policy Editor, this signature triggers when a specified number of ACK packets are sent to a single destination without a reply being sent by the target host. If a reply is seen from the target host, the outstanding ACK count is reset to zero.
For more information about changing the configurable parameters of a signature, see Changing Advanced Properties.
This signature detects an unusually high volume of TCP packets with the ACK flag set being sent to a host on the network. This signature only considers ACK packets that are not associated with an active connection. These conditions are highly indicative of a stream denial of service attack.
Based on parameters configured in the Policy Editor, this signature triggers when a specified number of ACK packets are sent to a single destination without a reply being sent by the target host. If a reply is seen from the target host, the outstanding ACK count is reset to zero.
For more information about changing the configurable parameters of a signature, see Changing Advanced Properties.
Medium
Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop: baseline, RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, Proventia Network MFS: 1.0, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network IDS: A Series, Proventia-G 1.1 and earlier: G Series, Proventia Desktop: 8.0.614.1, BlackICE PC Protection: 3.6.cbd, BlackICE Server Protection: 3.6.cbd, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, BlackICE Agent for Server: 3.6, RealSecure Desktop Protector: 3.6, RealSecure Server Sensor: 7.0, RealSecure Network: 7.0, RealSecure Network: 5.0, Virtual Server Protection for Vmware: 1.0
Various vendors Any application
Denial of Service
The stream.c attack is a denial of service attack designed to crash a vulnerable system by sending a flood of spoofed TCP packets with the ACK flag set to random destination ports on the host. This can cause certain versions of FreeBSD and possibly other systems to kernel panic and crash. This attack is also used in the mstream distributed denial of service tool.
Upgrade to the latest version of FreeBSD (4.3 or later). Other systems are not at much risk unless this attack is part of a distributed denial of service (DDoS) attack, such as mstream. See References.
BugTraq Mailing List, Thu Jan 20 2000 - 21:01:33 CST
Quick remedy for stream.c
http://archives.neohapsis.com/archives/bugtraq/2000-01/0285.html
Internet Security Systems Security Alert #48
"mstream" Distributed Denial of Service Tool
http://www.iss.net/xforce/alerts/id/advise48
BugTraq Mailing List, Fri Jan 21 2000 - 11:25:26 CST
explanation and code for stream.c issues
http://archives.neohapsis.com/archives/bugtraq/2000-01/0283.html
ISS X-Force
Stream.c denial of service
http://www.iss.net/security_center/static/4485.php