From owner-freebsd-net  Mon Oct 22 12:15:54 2001
Delivered-To: freebsd-net@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id 012B037B403
	for <freebsd-net@freebsd.org>; Mon, 22 Oct 2001 12:15:51 -0700 (PDT)
Received: (qmail 70205 invoked by uid 1000); 22 Oct 2001 19:15:49 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 22 Oct 2001 19:15:49 -0000
Date: Mon, 22 Oct 2001 14:15:49 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Fernando Gont <fernando@gont.com.ar>
Cc: <freebsd-net@freebsd.org>
Subject: Re: SYN flood and IP spoofing
In-Reply-To: <4.3.2.7.2.20011021061340.00d8bc80@mail.sitanium.com>
Message-ID: <20011022141035.H70111-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


On Sun, 21 Oct 2001, Fernando Gont wrote:

> >That's an old explanation; basically any OS released in the last few years
> >will throw old/random connections out of the queue when it fills up.
>
> Anyway, I wonder how the old implementations behaved, and why they behaved
> like that.

I don't think it's worth worrying about how old implementations behaved at
this point in time.  They weren't designed for the hostile environment of
today's internet, and have long since been replaced by newer stacks with
better countermeasures.  If you encounter an old system, it's probably
better to start upgrading it to a newer version of whatever OS it runs
than to analyze it.

> >(I'm assuming that's how Mitnick did it; I'm not aware that
> >he has revealed exactly how he did anything,
>
> He didn't do it. It was the owner of the attacked host that revealed it, in
> a post to comp.security.misc.

Maybe I'll look for it some day.  In either case, it doesn't matter
anymore.  We're using strong sequence numbers, and ip-based authentication
has many better replacements now.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message