[472] in cryptography@c2.net mail archive
Re: How bad is this?
daemon@ATHENA.MIT.EDU (Colin Plumb)
Wed Apr 2 15:25:33 1997
Date: Wed, 2 Apr 97 11:39:49 MST
From: colin@nyx.net (Colin Plumb)
To: perry@piermont.com
Cc: cryptography@c2.net
>> Actually, RFC1948 stuff has nothing to do with SYN Floods.
>> Its a protection against sequence number attacks, which permit address
>> spoofing. It is not a denial of service problem at all!
Actually, excuse me. You're right, and I was getting too focused
on the *other* application of random functions. This is an important
one and shouldn't be forgotten in the development stuff, but...
The actual things I'm playing with are Dan Bernstein's SYN cookies and
RST cookies, which do some clever things to avoid allocating any
local socket resources until the remote side has responded to
the ACK to their SYN. (There's also a version that forces the far
end to generate a RST.) If the host appears to be under attack
(lots of SYN_RECV sockets), the host can stop allocating sockets
and wait for valid cookies to come back in the sequence number before
starting things. This requires more network traffic for
successful connections, but if you're under attack, that's a small
fraction of total traffic.
>> This is why the *number* of breaks is important. Just one, or two,
>> or even a hundred is not fatal.
> Nope. Because this is a defense against spoofing (which can be used,
> for instance, to log in to machines), the number of breaks is ideally
> zero.
You're right; I was forgetting about the original sequence-number-guessing
attack. (Which probably means that I shoud throw all of this crap
out the window and go back to what's secure.)
But hopefully this explains why I said what I did.
--
-Colin
