[35546] in North American Network Operators' Group
Re: tcp,guardent,bellovin
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Mar 12 21:11:55 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: Valdis.Kletnieks@vt.edu
Cc: "Richard A. Steenbergen" <ras@e-gerbil.net>,
bert hubert <ahu@ds9a.nl>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 12 Mar 2001 21:09:29 -0500
Message-Id: <20010313020934.A23DE35C42@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <200103122349.f2CNndk28613@foo-bar-baz.cc.vt.edu>, Valdis.Kletnieks@
vt.edu writes:
>
>On Mon, 12 Mar 2001 18:09:32 EST, "Richard A. Steenbergen" said:
>> And since the "victim" will have the current sequence number for inbound
>> data, what would keep it from (correctly) sending an RST and tearing down
>> this false connection?
>
>And THAT my friends, was the *original* purpose for a TCP SYN flood - it
>wasn't to DOS the victim, it was to DOS a machine *trusted by* the victim
>so you could forge a connection and NOT get nailed by an RST.
>
>I'm sure that Steve Bellovin can point us at the original discussion
>of this, which was *ages* ago. I remember hearing that Kevin Mitnick
>used that (in addition to other tricks) against Shimomura's machines
>and thinking "Hmm.. so it's *not* just a theoretical attack anymore..."
>
>
More or less. When doing a sequence number guessing attack, one of the
problems faced by the attacker is preventing the spoofed machine from
replying with an RST to the SYN+AC for a connection it knows nothing
about. Morris's original version used a low-rate SYN flood that
exploited a bug in the BSD kernel to effectively gag a low-numbered
port. His paper can be found at
ftp://ftp.research.att.com/dist/internet_security/117.ps.Z
This isn't the same weakness that was exploited by the early SYN
floods, but it took advantage of the same limit on half-open
connections.
--Steve Bellovin, http://www.research.att.com/~smb
