[2538] in bugtraq

home help back first fref pref prev next nref lref last post

Re: TCP SYN probe detection tool available

daemon@ATHENA.MIT.EDU (JaDe)
Thu May 16 13:46:09 1996

Date:         Thu, 16 May 1996 09:58:22 -0700
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: JaDe <jadestar@netcom.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To:  <199605161338.PAA14763@utctu15.ct.utwente.nl> from "Henri
              Karrenbeld" at May 16, 96 03:38:30 pm

>
> I am afraid I do not read other security lists besides this one (I glance at
> Linux-alert and Linux-security occasionally when linux.dev.* mentions something)And of course stuff like cert-advisory, but in none of these have I seen
> what actually can be done with SYN packets... Could someone explain this?
>
> $) Henri


        SYN packets signal a request to open/negotiate a new
        session  -- the problem arises when an attacker
        forges a series of packets that all have the SYN flag
        set.  The recipient host can easily overflow its
        kernel structures in its effort to negotiate all of
        these "connection requests."

        This amounts to a denial of service attack (bad or
        badly configured kernels may panic or may start
        "thrashing" -- good kernels have a limit -- either
        way the machine is temporarily "off the net" (unable
        to carry on useful TCP/IP communications).

        This is _at_best_ a gross oversimplication and may be
        in error on some points.  I'm not a TCP/IP programmer
        or a kernel hacker.  I guess there is some sort of
        timeout.

        Basically detecting these attacks is a matter of
        hueristics.  Ideally one would have a programmable
        router that would monitor TCP sessions (state monitoring)
        and would log alert and deny packets from a host/site
        that appeared to be utilizing too much of a machine's
        TCP resources.

        This issue has been held forth as evidence that IPv4
        can't be made sufficiently secure to carry us into
        the next decade (TCP/IP as we know it is IP version
        4).  Right now there are developers working on
        IPv6 (IPv5 was skipped for technical reasons) --
        but it doesn't look like ther will be any *real*
        deployment of that until next year -- at the earliest.
home help back first fref pref prev next nref lref last post