[3327] in bugtraq
Re: Reachable addresses on the net (was SYN floods)
daemon@ATHENA.MIT.EDU (Oliver Xymoron)
Tue Sep 3 16:47:06 1996
Date: Tue, 3 Sep 1996 15:15:07 -0500
Reply-To: Oliver Xymoron <oxymoron@waste.org>
From: Oliver Xymoron <oxymoron@waste.org>
X-To: Speed Racer <shagboy@dns.bluesky.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.SUN.3.95.960903140016.29695A-100000@dns.bluesky.net>
On Tue, 3 Sep 1996, Speed Racer wrote:
> On Sat, 31 Aug 1996, Oliver Xymoron wrote:
>
> > As you can see, the address space is still quite sparse (less than 1 out
> > of every 200 addresses is reachable in my test), with most being inside
> > the 127 net. At least for the purpose of SYN flooding, the assumption
> > that a random address is unreachable is probably safe and probably quite
> > useful. Any local protection has to bear this in mind, and perhaps keep a
> > cache of known good addresses handy.
>
> Some questions for you-
>
> 1. When you generated the random addresses, did you throw out anything in
> class A nets 56-127? Those are marked reserved according to the IANA, as
> are all nets 224 (225?) and up. That's a lot of the address space right
> there.
My initial version took four bytes from /dev/random and used them as an
address, no filtering. The version I posted used the rand() function in
Perl. So it was trying to ping everything, including reserved addresses,
multicast groups, loopbacks, broadcast addresses, etc..
> 2. Exactly how did you manage to get replies from net 127 addresses? I
> could SWEAR that 127 is marked reserved for localhost. It would certainly
> be possible to set up a network on 127; most routing software doesn't care
> too much about 127, but it'd be kinda goofy.
Linux boxes at least responds to everything on the loopback interface. I'm
guessing this is some form of loopback optimization..
> I do agree that a cache of valid addresses might be a good idea; I'm not
> sure how it could be implemented tho.
Perhaps by keeping track via hashing of the last N addresses that have
actually established connections and throwing away SYN packets that are
blocking things up and are from otherwise unknown locations. No good for a
web server, which is accessed by relatively random addresses anyway, but
it might keep a flood from locking out something crucial like telnet.. It
might also make sense to allow firewalls to "give precedence" to packets
received on local interfaces over stuff from ISPs..
--
"Love the dolphins," she advised him. "Write by W.A.S.T.E.."
