From owner-freebsd-security  Tue Sep 10 12:35:50 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id MAA08367
          for security-outgoing; Tue, 10 Sep 1996 12:35:50 -0700 (PDT)
Received: from www.trifecta.com (www.trifecta.com [206.245.150.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA08358
          for <freebsd-security@freebsd.org>; Tue, 10 Sep 1996 12:35:46 -0700 (PDT)
Received: (from dev@localhost) by www.trifecta.com (8.7.5/8.6.12) id PAA13466; Tue, 10 Sep 1996 15:31:50 -0400 (EDT)
Date: Tue, 10 Sep 1996 15:31:50 -0400 (EDT)
From: Dev Chanchani <dev@trifecta.com>
To: Brian Tao <taob@io.org>
cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>, BUGTRAQ@NETSPACE.ORG
Subject: Re: Panix Attack: synflooding and source routing?
In-Reply-To: <Pine.NEB.3.92.960907114113.240B-100000@zap.io.org>
Message-ID: <Pine.BSF.3.91.960910152936.13456A-100000@www.trifecta.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Sat, 7 Sep 1996, Brian Tao wrote:

>     Wouldn't turning off source-routing on your border router
> alleviate most of this problem?  It won't help if you have someone
> synflooding a port from within your network, but at least it would
> prevent outside attacks.  Or is this a "one-way" attack (i.e., a
> return route to host is not needed)?

syn-flooding dennial of service attacks are one-way attacks. basically,
the attacker will spoof tcp/syn packets to a particular port on your 
machine. typical *nix systems will have a buffer for 4-8 un-acked syn's. 
this means if they begin to flood your system with syn's without 
establishing the connection, your system will hang in a semi-open socket 
state denying, denying other connection open requests. because the 
attacks are spoofed, you cannot deny packets from a particular host. 
anyone have any ideas  for writing a paricular monitor or patch dealing 
with this attack?