[unisog] DDoS IRC bots

Peter Van Epp vanepp at sfu.ca
Fri Mar 7 05:32:01 GMT 2003


On Thu, Mar 06, 2003 at 02:11:15PM -0800, Bill McCarty wrote:
> --On Thursday, March 06, 2003 7:57 AM -0800 Peter Van Epp <vanepp at sfu.ca>
> wrote:
> 
<snip>
> 
> BTW, a known defect in Snort 1.9.0 can lead to remote compromise of even a
> system configured for passive sniffing. This vulnerability was the subject
> of DHS/NIPC Advisory 03-00. I speculate that tcpdump may contain
> undisclosed  or unknown vulnerabilities that are similarly exploitable. So,
> reliably monitoring a honeynet is not at all straightforward.
> 

	Tcpdump has certainly had holes in the past (the recent past if I 
remember correctly :-)). There would be a lot of uses for a simple capture
utility that did nothing but capture and write the packets to file especially
on faster links (several of mine are gig). I suspect that a general purpose
Unix isn't the answer (too much overhead), something like the RTEMS rtos 
(www.oarcorp.com) is one possible answer I keep meaning to explore. A simple 
OS that does nothing but read packets in from the interface and write the 
packet (in tcpdump format for time stamps etc. but with no interpretation or 
context/ memory space switches (and thus no copys) to a file system (or raw
disk if needed for performance which it might be) would be a thing of beauty. 
You of course then run headlong in to disk performance issues, but throwing 
money at it (probably in the form of a raid like parallel disk farm) should 
cure that. One day in the far future when there is time :-).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list