Macintosh Information

Information for MacOS

All of the information here is for PowerMacs, but it's worth pointing out that the older macs are vulnerable too (according to the one report I've had). Most versions of the operating system in the 7.x.x range seem at risk.

People have now managed to crash Macs running both OpenTransport TCP/IP, NCSA telnet stack and MacTCP. The one common strain is that the system must be busy, ideally swapping, or at least running a large application.

To reliably crash OpenTransport, it seems that usually more than one ping is required. Send maybe ten or fifteen big pings, then do something that requires allocating some memory, such as opening a finder window. This should crash the machine (This handy hint from Eric Shaw)

This is being looked at by Glenn Anderson, who mailed me with this message...

I have been doing some tests and going through some code in MacTCP, and my results show MacTCP not to be vulnerable to this problem. The reason for this turns out to be MacTCP only allocates a 40k buffer for general use, and this buffer is used for assembling fragmented packets as well as ICMP responses and other things. As a result, MacTCP can't assemble a packet that big and just discards it. In general I have found that the largest ping that a computer running MacTCP can respond to is about 8k. This is because it has to allocate a buffer for the ICMP response and if there is no free memory it can't do that.

If you have any reports from people using MacTCP who are getting crashes I would be interested in working out what the problem is.

I have tried sending oversized pings to these systems (all running System 7.5.5 and MacTCP 2.0.6) without any problems: PowerBook 5300 with a Global Village PCMCIA ethernet PowerMac 6100 with built in ethernet Macintosh IIcx with Novel Etherport NuBus ethernet

I tried sending an over sized ping to my PowerMac 9500 running Open Transport 1.1.1 and it locked up totally.

Plus some more info...

An NT box on a LAN crashes a Power Mac 9500 easily and totally. We try crashing remote systems next, going through an Ascend P50 at each end and maybe 18 Internet hops: Can't crash remote Q650 running OT 1.1.1 Can't crash remote 7500 running OT 1.1.1 I switch the 7500 to a dial-up MacSLIP PPP connection: Can't crash it. We didn't try any floods or heavy network activity on the targets, though, just a few packets each. Some other interesting phenomena:

While testing, I was running constant ping and doing traceroutes on the target system to the attacking system (MacTCP Watcher 2.0 and WhatHost): The ping of death interrupted the flow of pings and the traceroute. Everything recovered after a minute or so, but I was unable to ping or traceroute while the POD was trying to get through all the intermediate hops.