[3477] in bugtraq
Re: Excellent host SYN-attack fix for BSD hosts
daemon@ATHENA.MIT.EDU (Steve Kann)
Wed Oct 16 13:37:37 1996
Date: Tue, 15 Oct 1996 16:41:57 -0400
Reply-To: Steve Kann <stevek@io360.com>
From: Steve Kann <stevek@io360.com>
X-To: jaw@Op.Net
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199610141743.NAA23080@sulcus.op.net> from Jeff Weisberg at "Oct
14, 96 01:43:57 pm"
> | It also breaks "naked SYN" filtering which is commonly employed as a way
> | to let established connections through without much effort and filter only
> | those TCP packets that have a SYN.
> | (Stuff like Cisco's establised keyword)
>
> this would require either:
> guessing the systems secret (128 bits)
> very unlikely
>
> inverting md5
> I won't say it is impossible, but it is hard
>
> sending lots and lots of packets until we get a connection
> the odds are no better/worse than any other attack
> based on guessing at seq. numbers
>
> guessing at a rate of 100 packets/sec it will require,
> on average, 3 days. few 2600 readers have this patience.
3 days of letting a program rip doesn't seem like much price to pay for
being able to subvert a packet filter rule. This is what has scared me
about this solution from the outset. Am I missing something, or are we
setting ourselves up to exchange a DOS condition for something worse?
-SteveK
