[4401] in linux-net channel archive
Re: SYN spoofing attacks
daemon@ATHENA.MIT.EDU (Michael Callahan)
Sun Sep 15 20:22:05 1996
Date: Sun, 15 Sep 1996 18:21:13 -0400 (EDT)
From: Michael Callahan <mjc@emmy.smith.edu>
Reply-To: Michael Callahan <mjc@emmy.smith.edu>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: linux-net@vger.rutgers.edu, jos@xos.nl
In-Reply-To: <m0v2Gr8-0005FbC@lightning.swansea.linux.org.uk>
On Sun, 15 Sep 1996, Alan Cox wrote:
> One more idea to throw into the can for bigger sites would be to look
> at modifying the masquerading code so a front end box can sit and
> wait for SYN SYN|ACK ACK transitions then pass the connection request through
> to the real host and bend the sequence numbers. That way you can have one
> box with a lot of ram that does nothing but hold connections and expire
> them appropriately. Such a box could if designed right also shield other
> non Linux systems.
Another option I've been thinking about would be to move management of TCP
SYNRCVD sockets into a user-level process for reasons similar to the
user-level ARP daemon. I think that ultimately this would be more
satisfactory than a solution that still required kernel state for SYNRCVD
sockets.
Michael
