From owner-freebsd-security  Thu May 13 22:46:28 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id 5583B152A3
	for <security@FreeBSD.ORG>; Thu, 13 May 1999 22:46:25 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id WAA25855;
	Thu, 13 May 1999 22:46:12 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id WAA18480;
	Thu, 13 May 1999 22:46:10 -0700 (PDT)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id WAA06542;
	Thu, 13 May 1999 22:46:09 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199905140546.WAA06542@salsa.gv.tsc.tdk.com>
Date: Thu, 13 May 1999 22:46:09 -0700
In-Reply-To: Thamer Al-Herbish <shadows@whitefang.com>
       "Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD" (May 13,  7:37pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Thamer Al-Herbish <shadows@whitefang.com>, security@FreeBSD.ORG
Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On May 13,  7:37pm, Thamer Al-Herbish wrote:
} Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD

} Btw, if it matters any I liked Bernstein's syn cookies. The only 
} conceivable problem there was storing initial TCP option information
} which could not be done because of the cookie-response design. 
} 
} Quick summary of syn cookies: 
} 
} You would send back a cookie as one the sequence number based on a
} secret that changes every so often hashed with the clients initial
} sequence number. If you get back a SYN-ACK, you check it against the
} same hash, and a match means you can respond and finish the
} handshake. You effectively _never_ store information about the first
} SYNs and thus _never_ have to worry about resources. TCBs are
} created after the hand shake is completed.

One potential danger is that you can't totally block incoming connections
to vulnerable ports by filtering out incoming SYN packets.  If an attacker
can guess what sequence number you would have sent in a SYN-ACK, he can
establish a connection by just sending the third packet in the initial
three-way handshake.  This isn't especially easy to brute force because
the sequence space is a 32 bit number, but it's not totally unreasonable
either if the attacker is patient enough.  The attacker may also be able
to make better guesses if he knows the details of the implementation he is
attacking.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message