[1104] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] SYN flooding (was inetd and denial-of-service)

daemon@ATHENA.MIT.EDU (thought)
Wed Aug 28 17:33:46 1996

From: thought <route@infonexus.com>
To: sirsyko@dot.ishiboo.com (Ralph the Wonder Llama)
Date: Sun, 25 Aug 1996 11:07:45 -0700 (PDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.BSF.3.91.960825022554.25550A-100000@dot.ishiboo.com> from "Ralph the Wonder Llama" at Aug 25, 96 02:42:03 am

Ralph the Wonder Llama's thoughts were:

| > 	By very defintion of a SYN flood, the source address has to be
| > 	forged.
| 
| No offense, but dont you think that the definition of a syn flood is a 
| flood of syn packets? whocares if the source address is real. Although, 
| the only practical use of a syn flooder is one where the address is 
| forged :)

	True.  I should have clarified that the only useful way to SYN
	flood a host's TCP is with forged source IP addresses.  (Assuming
	you can find a purpose in which SYN flooding is usefull...;))

| why do I like the idea of a random address? It would be cool go get 
| flooded by 123.234.345.456 :)

	Yes but if it just drawn from a hat the host *could* be reachable.
	Besides, `123.234.345.456` will fail when you try to convert it into
	network-byte order...;)

[REW: Most implementations will silently drop the higher bits in
the 4 bytes of an IP address. 123.234.89.200 might just be valid.]

| How does this meet his point. He is saying to hack up an inetd that if it 
| receives many tries from an given host or network, to turn on a filter 
| that disallows any incoming syn requests from being accepted, thus 
| denying this host/network but allowing other hosts/networks to function. 
| However, all this would do is cause the evil haxorer to need to change 
| the source address of his flood routine, but hey, its a start...

	Remember that the inetd (and TCPd) filters work after the completion
	of the 3-way handshake.  SYN flooding only satisfies the first part
	of the 3-way handshake.  I can deny TCP/23 with TCPd from all but
	trusted IP addresses.  It can still be SYN flooded however.

| > 
| > 	The best way to do this is in the kernel.  Briefly: A list of
| 
| Faster in the kernel perhaps. Better? I dont know. I'd rather have my 
| kernel pass the packets to the application and have the application 
| decide how to work (the application in question would be something like 
| xinetd or tcp wrappers). Doing all this trickery in the kernel sounds 

	See above.

| dangerous, ie, memory problems (buffer exhaustion, and/or possible buffer 
| attacks) since the packets have to spend more time and be stored in the 
| memory, and perhaps even be stored in parts of memory that would be 
| trusted  (like I said, possible buffer attack).

	This is a moot point.  If it is coded well, this is not a problem.


-- 
[ route@infonexus.com ]  Editor, Phrack Magazine / Guild Corporation Chair

	       the greatest trick the devil ever pulled was
		   convincing the world he didn't exist

home help back first fref pref prev next nref lref last post