[4627] in North American Network Operators' Group
ideas for half-open sync flood fixs
daemon@ATHENA.MIT.EDU (Peter Cole)
Fri Sep 20 12:55:24 1996
Date: Fri, 20 Sep 1996 12:50:24 -0400 (EDT)
To: cert@cert.org
From: peter@telescan.com (Peter Cole)
Cc: nanog@merit.edu
ideas for half-open sync flood fixs?
What I understand about this venerability:
If a spoofed packet contains a host address that does exist on the net then
the real host sends a reset and the fake half open socket is killed. No
problem for the host.
If a spoofed packet contains a nonexistent host address then no host is
present to send a reset. Big problem for the host.
fix 1. Doesn't the network respond with ICMP message to the attacked host
telling it that the nonexistent host is unreachable. The attacked host could
close a half open socket if it received a ICMP message with the corresponding
host address and socket port data.
fix 2. If a router cannot deliver a sync ack packet it could send a reset for
that sync ack.
fix 3. If a host sent a ping to the requesting source address before sending
the sync ack then it could kill nonresponding hosts quickly.
Three ideas form a lurker.
Peter Cole
peter@telescan.com
Telescan Inc.
(713) 588-9155
Better computing through lack of sleep
Peter Cole (713)588-9155
