Thanks to Mr David Honig <honig@amada.net> for the following:" Put the string "a&" in a file called "a" and perform "chmod +x a".Running "a" will quickly disable a Sun 4.x machine, even disallowing(counter to specs) root login as the kernel process table fills."" The cute thing is the size of the script, and how few keystrokes it takes to bring down a Sunas a regular user.".D.12. CRASHING DG/UX WITH ULIMIT ---------------------------------ulimit is used to set a limit on the system resources available to the shell. If ulimit 0 is called before /etc/passwd, under DG/UX, will the passwd file be set to zero..D.13. NETTUNE AND HP-UX------------------------/usr/contrib/bin/nettune is SETUID root on HP-UX meaningthat any user can reset all ICMP, IP and TCP kernelparameters, for example the following parameters:	- arp_killcomplete 	- arp_killincomplete	- arp_unicast 	- arp_rebroadcast	- icmp_mask_agent	- ip_defaultttl	- ip_forwarding	- ip_intrqmax	- pmtu_defaulttime	- tcp_localsubnets	- tcp_receive	- tcp_send	- tcp_defaultttl	- tcp_keepstart 	- tcp_keepfreq	- tcp_keepstop	- tcp_maxretrans	- tcp_urgent_data_ptr	- udp_cksum	- udp_defaultttl 	- udp_newbcastenable 	- udp_pmtu	- tcp_pmtu	- tcp_random_seqThe solution could be to set the proper permission on /sbin/mount_union:#chmod u-s /sbin/mount_union.D.14. SOLARIS 2.X AND NFS--------------------------If a process is writing over NFS and the user goes over the diskquota will the process go into an infinite loop..D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION--------------------------------------------------By executing a sequence of mount_union commands any usercan cause a system reload on all FreeBSD version 2.X before1996-05-18.$ mkdir a$ mkdir b$ mount_union ~/a ~/b$ mount_union -b ~/a ~/bThe solution could be to set the proper permission on /sbin/mount_union:#chmod u-s /sbin/mount_union.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X----------------------------------------------------Executing the trap_mon instruction from user mode can causea kernel panic or a window underflow watchdog reset underSunOS 4.1.x, sun4c architecture..E. DUMPING CORE~~~~~~~~~~~~~~~~.E.1. SHORT COMMENT-------------------The core dumps things don't really belongs in this paper but I haveput them here anyway..E.2. MALICIOUS USE OF NETSCAPE-------------------------------Under Netscape 1.1N this link will result in a segmentation fault and acore dump.Ex:	<a name="http://xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.	xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.	xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.	xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.	xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx...>.E.3. CORE DUMPED UNDER WUFTPD------------------------------A core dumped could be created under wuftp with two differentmethods:	(1) Then pasv is given (user not logged in (ftp -n)). Almost all	versions of BSD:s ftpd.	(2) More than 100 arguments is given with any executable	command. Presents in all versions of BSD:sd ftpd..E.4. ld UNDER SOLARIS/X86--------------------------Under Solaris 2.4/X86 ld dumps core if given with the -s option..F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.F.1. BASIC SECURITY PROTECTION-------------------------------.F.1.1. INTRODUCTION--------------------You can not make your system totally secured against denial of serviceattacks but for attacks from the outside you can do a lot. I put thiswork list together and hope that it can be of some use. .F.1.2. SECURITY PATCHES------------------------Always install the proper security patches. As for patch numbersI don't want to put them out, but that doesn't matter because youanyway want to check that you have all security patches installed,so get a list and check! Also note that patches change over time andthat a solution suggested in security bulletins (i.e. CERT) oftenis somewhat temporary..F.1.3. PORT SCANNING---------------------Check which services you have. Don't check with the manualor some configuration file, instead scan the ports with sprobeor some other port scanner. Actual you should do this regualy to seethat anyone don't have installed a service that you don't want onthe system (could for example be service used for a pirate site).Disable every service that you don't need, could for example be rexd,fingerd, systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen,tftp, exec, ufs, daytime, time... Any combination of echo, time, daytimeand chargen is possible to get to loop. There is however no needto turn discard off. The discard service will just read a packetand discard it, so if you turn off it you will get more sensitive todenial of service and not the opposite.Actual can services be found on many systems that can be used fordenial of service and brute force hacking without any logging. Forexample Stock rexec never logs anything. Most popd:s also don't log anything.F.1.4. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER---------------------------------------------------------Check that attacks described in this paper and look at thesolution. Some attacks you should perform yourself to see if theyapply to your system, for example:	- Freezing up X-Windows.	- Malicious use of telnet.	- How to disable services.	- SunOS kernel panic.	- Attacking with lynx clients.	- Crashing systems with ping from Windows 95 machines.	That is stress test your system with several services and look atthe effect.Note that Solaris 2.4 and later have a limit on the number of ICMPerror messages (1 per 500 ms I think) that can cause problems thenyou test your system for some of the holes described in this paper.But you can easy solve this problem by executing this line:$ /usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 0                                                            .F.1.5. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER--------------------------------------------------------Check the inside attacks, although it is always possibly to crashthe system from the inside you don't want it to be to easy. Alsohave several of the attacks applications besides denial of service,for example:	- Crashing the X-Server: 	If stickybit is not set in /tmp					a number of attacks to gain					access can be performed.	- Using resolv_host_conf:	Could be used to expose					confidential data like					/etc/shadow.	- Core dumped under wuftpd:	Could be used to extract					password-strings.If I don't have put out a solution I might have recommended son other paper.If not I don't know of a paper with a solution I feel that I can recommend.You should in these causes check with your company..F.1.6. EXTRA SECURITY SYSTEMS------------------------------Also think about if you should install some extra security systems.The basic that you always should install is a logdaemon  and a wrapper.A firewall could also be very good, but expensive. Free tools that canbe found on the Internet is for example:TYPE:		NAME:		URL:LOGDAEMON	NETLOG		ftp://net.tamu.edu/pub/security/TAMUWRAPPER		TCP WRAPPERS	ftp://cert.org/pub/tools/tcp_wrappersFIREWALL	TIS 		ftp://ftp.tis.com/pub/firewalls/toolkitNote that you should be very careful if building your own firewall withTIS or you might open up new and very bad security holes, but it is a verygood security packer if you have some basic knowledge.It is also very good to replace services that you need, for example telnet,rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can befound at URL: 	ftp://ftp.cs.hut.fi/pub/sshThe addresses I have put out are the central sites for distributingand I don't think that you should use any other except for CERT.For a long list on free general security tools I recommend:"FAQ: Computer Security Frequently Asked Questions"..F.1.7. MONITORING SECURITY---------------------------Also monitor security regular, for example through examining system logfiles, history files... Even in a system without any extra security systemscould several tools be found for monitoring, for example: 	- uptime	- showmount	- ps	- netstat	- finger(see the man text for more information)..F.1.8. KEEPING UP TO DATE--------------------------It is very important to keep up to date with security problems. Also understand that then, for example CERT, warns for something it has oftenbeen dark-side public for sometime, so don't wait. The following resourcesthat helps you keeping up to date can for example be found on the Internet:	- CERT mailing list. Send an e-mail to cert@cert.org to be placed	on the list.		- Bugtraq mailing list. Send an e-mail to bugtraq-request@fc.net.	- WWW-security mailing list. Send an e-mail to 	www-security@ns2.rutgers.edu..F.1.9. READ SOMETHING BIGGER AND BETTER----------------------------------------Let's start with papers on the Internet. I am sorry to say that it is notvery many good free papers that can be found, but here is a small collectionand I am sorry if have have over looked a paper.(1) The Rainbow books is a long series of free books on computer security.US citizens can get the books from:	INFOSEC AWARENESS OFFICE	National Computer Security Center	9800 Savage Road	Fort George G. Meader, MD 20755-600We other just have to read the papers on the World Wide Web. Everypaper can not however be found on the Internet.(2) "Improving the security of your Unix system" by Curry  is also verynice if you need the very basic things. If you don't now anything aboutcomputer security you can't find a better start. (3) "The WWW security FAQ" by Stein is although it deal with W3-securitythe very best better on the Internet about computer security.(4) CERT have aklso published several good papers, for example:	- Anonymous FTP Abuses.	- Email Bombing and Spamming.	- Spoofed/Forged Email.	- Protecting yourself from password file attacks.I think however that the last paper have overlooked several things.(5) For a long list on papers I can recommend:"FAQ: Computer Security Frequently Asked Questions".(6) Also see section ".G. SUGGESTED READING"You should also get some big good commercial book, but I don't wantto recommend any..F.2. MONITORING PERFORMANCE----------------------------.F.2.1. INTRODUCTION--------------------There is several commands and services that can be used formonitoring performance. And at least two good free programs canbe found on Internet..F.2.2. COMMANDS AND SERVICES-----------------------------For more information read the man text. netstat		Show network status.nfsstat		Show NFS statistics.sar		System activity reporter.vmstat		Report virtual memory statistics.timex		Time a command, report process data and system		activity.time 		Time a simple command.truss		Trace system calls and signals.uptime		Show how long the system has been up.Note that if a public netstat server can be found you might be ableto use netstat from the outside. netstat can also give informationlike tcp sequence numbers and much more..F.2.3. PROGRAMS----------------Proctool: Proctool is a freely available tool for Solaris that monitorsand controls processes.	ftp://opcom.sun.ca/pub/binaries/	Top: Top might be a more simple program than Proctool, but isgood enough..F.2.4. ACCOUNTING------------------To monitor performance you have to collect information over a long period of time. All Unix systems have some sort of accounting logsto identify how much CPU time, memory each program uses. You shouldcheck your manual to see how to set this up.You could also invent your own account system by using crontab anda script with the commands you want to run. Let crontab run the scriptevery day and compare the information once a week. You could forexample let the script run the following commands:	- netstat	- iostat -D	- vmstat.G. SUGGESTED READING~~~~~~~~~~~~~~~~~~~~~.F.1. INFORMATION FOR DEEPER KNOWLEDGE-------------------------------------(1) Hedrick, C. Routing Information Protocol. RFC 1058, 1988.(2) Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984.(3) Postel, J. Internet Control Message Protocol. RFC 792, 1981.(4) Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977.(5) Sollins, K.R. The TFTP Protocol, RFC 783, 1981.(6) Croft, W.J. Bootstrap Protocol, RFC 951, 1985.Many of the papers in this category was RFC-papers. A RFC-paperis a paper that describes a protocol. The letters RCS stands forRequest For Comment. Hosts on the Internet are expected to understandat least the common ones. If you want to learn more about a protocolit is always good to read the proper RFC. You can find a nice sRFC index search form at URL:	http://pubweb.nexor.co.uk/public/rfc/index/rfc.html.F.2. KEEPING UP TO DATE INFORMATION------------------------------------(1) CERT mailing list. Send an e-mail to cert@cert.org to be placedon the list.(2) Bugtraq mailinglist. Send an e-mail to bugtraq-request@fc.net.(3) WWW-security mailinglist. Send an e-mail to www-security@ns2.rutgers.edu.(4) Sun Microsystems Security Bulletins.(5) Various articles from: 		- comp.security.announce					- comp.security.unix					- comp.security.firewalls(6) Varius 40Hex Issues..F.3. BASIC INFORMATION-----------------------(1) Husman, H. INTRODUKTION TILL DATAS腒ERHET UNDER X-WINDOWS, 1995.(2) Husman, H. INTRODUKTION TILL IP-SPOOFING, 1995.(3) The following rainbow books:	- Teal Green Book (Glossary of					Computer Security Terms).					- Bright Orange Book( A Guide					to Understanding Security Testing					and Test Documentation in Trusted					Systems).					- C1 Technical Report-001 					(Computer Viruses: Preventation,					Detection, and Treatment).(4) Ranum, Marcus. Firewalls, 1993.(5) Sun Microsystems, OpenWindows V3.0.1. User Commands, 1992.(6) Husman, H. ATT SP臨A ODOKUMENTERADE S腒ERHETSLUCKOR, 1996.(7) Dark OverLord, Unix Cracking Tips, 1989.(8) Shooting Shark, Unix Nasties, 1988.(9) LaDue, Mark.D. Hostile Applets on the Horizone, 1996.(10) Curry, D.A. Improving the security of your unix system, 1990.(11) Stein, L.D. The World Wide Web security FAQ, 1995.(12) Bellovin, S.M. Security Problems in the TCP/IP Protocol, 1989..H. COPYRIHT------------This paper is Copyright (c) 1996 by Hans Husman.Permission is hereby granted to give away free copies electronically. Youmay distribute, transfer, or spread this paper electronically. You may notpretend that you wrote it. This copyright notice must be maintained in anycopy made. If you wish to reprint the whole or any part of this paper in anyother medium excluding electronic medium, please ask the author forpermission..I. DISCLAIMER--------------The information within this paper may change without notice. Use of thisinformation constitutes acceptance for use in an AS IS condition. There areNO warranties with regard to this information. In no event shall the authorbe liable for any damages whatsoever arising out of or in connection withthe use or spread of this information. Any use of this information is at theuser's own risk.