From owner-freebsd-security  Thu May 13 22:53:40 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gw.whitefang.com (calnet11-70.gtecablemodem.com [207.175.234.70])
	by hub.freebsd.org (Postfix) with SMTP id 31EB01527B
	for <security@FreeBSD.ORG>; Thu, 13 May 1999 22:53:36 -0700 (PDT)
	(envelope-from shadows@whitefang.com)
Received: (qmail 4901 invoked from network); 14 May 1999 05:53:30 -0000
Received: from rage.whitefang.com (shadows@192.168.1.3)
  by gw.whitefang.com with SMTP; 14 May 1999 05:53:30 -0000
Date: Thu, 13 May 1999 22:52:38 -0700 (PDT)
From: Thamer Al-Herbish <shadows@whitefang.com>
To: security@FreeBSD.ORG
Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD
In-Reply-To: <199905140546.WAA06542@salsa.gv.tsc.tdk.com>
Message-ID: <Pine.BSF.4.05.9905132247030.253-100000@rage.whitefang.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 13 May 1999, Don Lewis wrote:

> to vulnerable ports by filtering out incoming SYN packets.  If an attacker
> can guess what sequence number you would have sent in a SYN-ACK, he can
> establish a connection by just sending the third packet in the initial
> three-way handshake.  This isn't especially easy to brute force because

The syn-cookie work around does not make it any easier to guess the
sequence number. You would need the actual secret that changes every
so often to come up with it. This secret is hashed with the ISN from
the packet and the addresses on the packet. Knowing the ISN and the
addresses is irrelevant because the hash is not reversible. Unless
the interval where the secret would change was exceptionally long,
it is doubtful you can crack a 32-bit secret.

My understanding of the syn cookie mechanism leads me to believe
that is not possible to brute force it with conventional computer
power. Maybe in a few years with faster computers it would be.

--
Thamer Al-Herbish                     PGP public key:
shadows@whitefang.com                 http://www.whitefang.com/pgpkey.txt
[ The Secure UNIX Programming FAQ     http://www.whitefang.com/sup/  ]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message