[1087] in linux-security and linux-alert archive
Re: [linux-security] inetd and denial-of-service
daemon@ATHENA.MIT.EDU (Racer X)
Tue Aug 27 08:47:02 1996
Date: Mon, 26 Aug 1996 23:46:17 -0400 (EDT)
From: Racer X <shagboy@wspice.com>
Reply-To: shagboy@bluesky.net
To: Brian Mitchell <brian@saturn.net>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960826165116.71D-100000@tcpip>
On Mon, 26 Aug 1996, Brian Mitchell wrote:
> if it is not forged, it will not have the disired effect of locking the
> victim up. You will get into a syn/syn|ack/rst flood, which when
> completed will leave the victim perfectly normal.
Not when I tried. All that happened was that I took up all the open
connections on my machine as well as the attacked machine.
> They would not use www.whitehouse.gov, because those syn packets would be
> reset.
I don't think you're right on this one, but if you are, it still doesn't
explain why a randomly chosen source IP is a bad idea, which was what I
was trying to clarify.
> If they forge the ip of a host with reverse dns, but not up - what have
> you done? Absolutely nothing.
Sure you have. If they use that same IP over and over again, you can
spot a potential SYN flood from that particular host and refuse to accept
any more SYN's from that host. Contrary to what you may think, this can
be done in user space with an ipfwadm-like tool; we just need the hooks
in the kernel to allow policies to be changed on the fly.
[REW: You can adjust ipfwadm rules on the fly. No need for extra
hooks. The hard part is getting info about "ongoing syn floods" in an
efficient manner. How about running tcpdump in non-promisc mode,
filtering for syn-packets.]
shag
Judd Bourgeois | When we are planning for posterity,
shagboy@bluesky.net | we ought to remember that virtue is
Finger for PGP key | not hereditary. Thomas Paine