Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 May 1999 22:46:09 -0700
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        Thamer Al-Herbish <shadows@whitefang.com>, security@FreeBSD.ORG
Subject:   Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD
Message-ID:  <199905140546.WAA06542@salsa.gv.tsc.tdk.com>
In-Reply-To: Thamer Al-Herbish <shadows@whitefang.com> "Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD" (May 13,  7:37pm)
next in thread | previous in thread | raw e-mail | index | archive | help 
On May 13,  7:37pm, Thamer Al-Herbish wrote:
} Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD

} Btw, if it matters any I liked Bernstein's syn cookies. The only 
} conceivable problem there was storing initial TCP option information
} which could not be done because of the cookie-response design. 
} 
} Quick summary of syn cookies: 
} 
} You would send back a cookie as one the sequence number based on a
} secret that changes every so often hashed with the clients initial
} sequence number. If you get back a SYN-ACK, you check it against the
} same hash, and a match means you can respond and finish the
} handshake. You effectively _never_ store information about the first
} SYNs and thus _never_ have to worry about resources. TCBs are
} created after the hand shake is completed.

One potential danger is that you can't totally block incoming connections
to vulnerable ports by filtering out incoming SYN packets.  If an attacker
can guess what sequence number you would have sent in a SYN-ACK, he can
establish a connection by just sending the third packet in the initial
three-way handshake.  This isn't especially easy to brute force because
the sequence space is a 32 bit number, but it's not totally unreasonable
either if the attacker is patient enough.  The attacker may also be able
to make better guesses if he knows the details of the implementation he is
attacking.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905140546.WAA06542>