[35542] in North American Network Operators' Group
Re: tcp,guardent,bellovin
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Mar 12 18:52:57 2001
Message-Id: <200103122349.f2CNndk28613@foo-bar-baz.cc.vt.edu>
To: "Richard A. Steenbergen" <ras@e-gerbil.net>
Cc: bert hubert <ahu@ds9a.nl>, nanog@merit.edu
In-reply-to: Your message of "Mon, 12 Mar 2001 18:09:32 EST."
<Pine.BSF.4.21.0103121808180.98098-100000@overlord.e-gerbil.net>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 12 Mar 2001 18:49:39 -0500
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 12 Mar 2001 18:09:32 EST, "Richard A. Steenbergen" said:
> And since the "victim" will have the current sequence number for inbound
> data, what would keep it from (correctly) sending an RST and tearing down
> this false connection?
And THAT my friends, was the *original* purpose for a TCP SYN flood - it
wasn't to DOS the victim, it was to DOS a machine *trusted by* the victim
so you could forge a connection and NOT get nailed by an RST.
I'm sure that Steve Bellovin can point us at the original discussion
of this, which was *ages* ago. I remember hearing that Kevin Mitnick
used that (in addition to other tricks) against Shimomura's machines
and thinking "Hmm.. so it's *not* just a theoretical attack anymore..."
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
