[1086] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] inetd and denial-of-service

daemon@ATHENA.MIT.EDU (Brian Mitchell)
Tue Aug 27 08:40:50 1996

Date: Mon, 26 Aug 1996 16:55:00 -0400 (EDT)
From: Brian Mitchell <brian@saturn.net>
To: shagboy@bluesky.net
cc: infinity <route@infonexus.com>, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960825210628.1216E-100000@cirrus.bluesky.net>

On Sun, 25 Aug 1996, Racer X wrote:

> On Thu, 22 Aug 1996, infinity wrote:
> 
> > | >From the sources I have seen for SYN-flooders, they generally forge the 
> > | source address.  One style is to generate random source addresses, the 
> > 
> > 	By very defintion of a SYN flood, the source address has to be
> > 	forged.
> 
> No, it doesn't.  Any hacker with any intelligence will forge it, but it 
> doesn't HAVE to be forged.

if it is not forged, it will not have the disired effect of locking the 
victim up. You will get into a syn/syn|ack/rst flood, which when 
completed will leave the victim perfectly normal.

> 
> > | other is to take a user-specified address.  A way around the first style 
> > | is this:
> > 
> > 	A randomly generated source address would be a horrible idea.  You
> > 	have a better than even chance of generating one that is reachable.
> 
> I'm not following you.  First off, why would a randomly generated address 
> be a horrible idea?  Why any worse than (say) the IP for 
> www.whitehouse.gov?  And better than even?  I don't think so.  Not when 
> you consider that class A nets 57-126 are all "reserved", as are a bunch 
> of others.

They would not use www.whitehouse.gov, because those syn packets would be 
reset.

> 
> > | If the max number of connects per unit time is passed, stop the server 
> > | for (say) 1 or 2 minutes.  Then try to reverse DNS all those connects on 
> > | that port.  Any that can't be reversed should be immediately dropped.  
> > 
> > 	A host may have DNS entries and still be unreachable (and vice
> > 	versa).
> 
> That's not my point.  The point is, if they DO have DNS entries, they are 
> much more likely to be legit than if they don't.  Everyone, EVERYONE, 
> should be running DNS and have reverse maps.  We (and lots of other 
> people) don't allow connects from hosts that can't be reversed.

If they forge the ip of a host with reverse dns, but not up - what have 
you done? Absolutely nothing.

[REW: Moreover you can expect to have to wait for up to 60 seconds for
a reverse DNS lookup to work.... Some don't really understand networking
it seems. I once found a site that had 65000 namserver entries. And only
a few tens of them were up-and-reachable. It seems they put all IP numbers
in the nameserver so that they wouldn't have to modify the nameserver if
they assign an IP number to a computer. Neat eh?]

Brian Mitchell 				                brian@saturn.net
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman

home help back first fref pref prev next nref lref last post