[1117] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] inetd and denial-of-service

daemon@ATHENA.MIT.EDU (Richard Bullington)
Fri Aug 30 15:09:09 1996

Date: Thu, 29 Aug 1996 03:25:51 -0400 (EDT)
From: Richard Bullington <rbulling@obscure.org>
Reply-To: Richard Bullington <rbulling@obscure.org>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.GSO.3.95.960825083407.4029B-100000@clark.net>

On Sun, 25 Aug 1996, Paul D. Robertson wrote:

> On Thu, 22 Aug 1996, infinity wrote:
> 
> > 	By very defintion of a SYN flood, the source address has to be
> > 	forged.
> 
> This is simply not true.  There is a particular combination of
> the SuperTCP PC stack and Netscape browser, for instance, that will,
> given the correct versions, SYN flood the hell out of your web server.
> 
> In a malicious attack it would be stupid to SYN flood from your correct IP
> address, but it is certainly possible.

I have an interesting tcpdump trace of a network session gone very badly
that turned into an ACK flood on the telnet port. This session shows a
flood coming from someone's 'correct' IP address.

This flood effectively stopped all network communications on my system
until I had the system administrator of the remote ISP manually shut off
the connection. 

It appeared not to be an attack, but a bug in either Mac System 7.5.3 or
NCSA telnet:

[excerpt from mail diagnosing the problem]
>> When this happens, please reset the computer... it stayed connected for 5
>> hours flooding the 'net with bad packets. What kind of computer was it?
>> Running what operating system? What telnet program?
>
> we did restart the computer.  It's a Power Mac.  and the telnet program
> is NSCA telnet.  with a slip PPP connection.  running system 7.53

I have posted my tcpdump trace (167K) at:

http://www.obscure.org/~rbulling/tcpdumptrace.txt 


[REW: Lets stop this discussion OK? There are differences in opinion
about what IS a "SYN flood". There are differences in opinion about
what would cause the most harm if you want to do a "malicious SYN
flood". There is evidence that bugs in TCP stacks can cause a SYN
flood.]


-Richard Bullington <rbulling@obscure.org>   http://www.obscure.org

home help back first fref pref prev next nref lref last post