[1117] in linux-security and linux-alert archive
Re: [linux-security] inetd and denial-of-service
daemon@ATHENA.MIT.EDU (Richard Bullington)
Fri Aug 30 15:09:09 1996
Date: Thu, 29 Aug 1996 03:25:51 -0400 (EDT)
From: Richard Bullington <rbulling@obscure.org>
Reply-To: Richard Bullington <rbulling@obscure.org>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.GSO.3.95.960825083407.4029B-100000@clark.net>
On Sun, 25 Aug 1996, Paul D. Robertson wrote:
> On Thu, 22 Aug 1996, infinity wrote:
>
> > By very defintion of a SYN flood, the source address has to be
> > forged.
>
> This is simply not true. There is a particular combination of
> the SuperTCP PC stack and Netscape browser, for instance, that will,
> given the correct versions, SYN flood the hell out of your web server.
>
> In a malicious attack it would be stupid to SYN flood from your correct IP
> address, but it is certainly possible.
I have an interesting tcpdump trace of a network session gone very badly
that turned into an ACK flood on the telnet port. This session shows a
flood coming from someone's 'correct' IP address.
This flood effectively stopped all network communications on my system
until I had the system administrator of the remote ISP manually shut off
the connection.
It appeared not to be an attack, but a bug in either Mac System 7.5.3 or
NCSA telnet:
[excerpt from mail diagnosing the problem]
>> When this happens, please reset the computer... it stayed connected for 5
>> hours flooding the 'net with bad packets. What kind of computer was it?
>> Running what operating system? What telnet program?
>
> we did restart the computer. It's a Power Mac. and the telnet program
> is NSCA telnet. with a slip PPP connection. running system 7.53
I have posted my tcpdump trace (167K) at:
http://www.obscure.org/~rbulling/tcpdumptrace.txt
[REW: Lets stop this discussion OK? There are differences in opinion
about what IS a "SYN flood". There are differences in opinion about
what would cause the most harm if you want to do a "malicious SYN
flood". There is evidence that bugs in TCP stacks can cause a SYN
flood.]
-Richard Bullington <rbulling@obscure.org> http://www.obscure.org