[1086] in linux-security and linux-alert archive
Re: [linux-security] inetd and denial-of-service
daemon@ATHENA.MIT.EDU (Brian Mitchell)
Tue Aug 27 08:40:50 1996
Date: Mon, 26 Aug 1996 16:55:00 -0400 (EDT)
From: Brian Mitchell <brian@saturn.net>
To: shagboy@bluesky.net
cc: infinity <route@infonexus.com>, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960825210628.1216E-100000@cirrus.bluesky.net>
On Sun, 25 Aug 1996, Racer X wrote:
> On Thu, 22 Aug 1996, infinity wrote:
>
> > | >From the sources I have seen for SYN-flooders, they generally forge the
> > | source address. One style is to generate random source addresses, the
> >
> > By very defintion of a SYN flood, the source address has to be
> > forged.
>
> No, it doesn't. Any hacker with any intelligence will forge it, but it
> doesn't HAVE to be forged.
if it is not forged, it will not have the disired effect of locking the
victim up. You will get into a syn/syn|ack/rst flood, which when
completed will leave the victim perfectly normal.
>
> > | other is to take a user-specified address. A way around the first style
> > | is this:
> >
> > A randomly generated source address would be a horrible idea. You
> > have a better than even chance of generating one that is reachable.
>
> I'm not following you. First off, why would a randomly generated address
> be a horrible idea? Why any worse than (say) the IP for
> www.whitehouse.gov? And better than even? I don't think so. Not when
> you consider that class A nets 57-126 are all "reserved", as are a bunch
> of others.
They would not use www.whitehouse.gov, because those syn packets would be
reset.
>
> > | If the max number of connects per unit time is passed, stop the server
> > | for (say) 1 or 2 minutes. Then try to reverse DNS all those connects on
> > | that port. Any that can't be reversed should be immediately dropped.
> >
> > A host may have DNS entries and still be unreachable (and vice
> > versa).
>
> That's not my point. The point is, if they DO have DNS entries, they are
> much more likely to be legit than if they don't. Everyone, EVERYONE,
> should be running DNS and have reverse maps. We (and lots of other
> people) don't allow connects from hosts that can't be reversed.
If they forge the ip of a host with reverse dns, but not up - what have
you done? Absolutely nothing.
[REW: Moreover you can expect to have to wait for up to 60 seconds for
a reverse DNS lookup to work.... Some don't really understand networking
it seems. I once found a site that had 65000 namserver entries. And only
a few tens of them were up-and-reachable. It seems they put all IP numbers
in the nameserver so that they wouldn't have to modify the nameserver if
they assign an IP number to a computer. Neat eh?]
Brian Mitchell brian@saturn.net
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman