[1087] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] inetd and denial-of-service

daemon@ATHENA.MIT.EDU (Racer X)
Tue Aug 27 08:47:02 1996

Date: Mon, 26 Aug 1996 23:46:17 -0400 (EDT)
From: Racer X <shagboy@wspice.com>
Reply-To: shagboy@bluesky.net
To: Brian Mitchell <brian@saturn.net>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960826165116.71D-100000@tcpip>

On Mon, 26 Aug 1996, Brian Mitchell wrote:

> if it is not forged, it will not have the disired effect of locking the 
> victim up. You will get into a syn/syn|ack/rst flood, which when 
> completed will leave the victim perfectly normal.

Not when I tried.  All that happened was that I took up all the open 
connections on my machine as well as the attacked machine.

> They would not use www.whitehouse.gov, because those syn packets would be 
> reset.

I don't think you're right on this one, but if you are, it still doesn't
explain why a randomly chosen source IP is a bad idea, which was what I 
was trying to clarify.

> If they forge the ip of a host with reverse dns, but not up - what have 
> you done? Absolutely nothing.

Sure you have.  If they use that same IP over and over again, you can 
spot a potential SYN flood from that particular host and refuse to accept 
any more SYN's from that host.  Contrary to what you may think, this can 
be done in user space with an ipfwadm-like tool; we just need the hooks 
in the kernel to allow policies to be changed on the fly.

[REW: You can adjust ipfwadm rules on the fly. No need for extra
hooks.  The hard part is getting info about "ongoing syn floods" in an
efficient manner. How about running tcpdump in non-promisc mode,
filtering for syn-packets.]


shag

Judd Bourgeois      | When we are planning for posterity,
shagboy@bluesky.net | we ought to remember that virtue is
Finger for PGP key  | not hereditary.        Thomas Paine

home help back first fref pref prev next nref lref last post