From owner-freebsd-security Fri May 14 13: 7:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 88137150F5 for ; Fri, 14 May 1999 13:07:49 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id OAA27946; Fri, 14 May 1999 14:07:31 -0600 (MDT) Message-Id: <4.2.0.37.19990514140618.046502a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Fri, 14 May 1999 14:07:26 -0600 To: Don Lewis , Thamer Al-Herbish , security@FreeBSD.ORG From: Brett Glass Subject: Re: Forwarded from BUGTRAQ: SYN floods against FreeBSD In-Reply-To: <199905140546.WAA06542@salsa.gv.tsc.tdk.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:46 PM 5/13/99 -0700, Don Lewis wrote: >One potential danger is that you can't totally block incoming connections >to vulnerable ports by filtering out incoming SYN packets. If an attacker >can guess what sequence number you would have sent in a SYN-ACK, he can >establish a connection by just sending the third packet in the initial >three-way handshake. This isn't especially easy to brute force because >the sequence space is a 32 bit number, but it's not totally unreasonable >either if the attacker is patient enough. The attacker may also be able >to make better guesses if he knows the details of the implementation he is >attacking. It can be made pretty tough to guess if one has a good entropy pool. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message