From owner-freebsd-current Tue May 21 12:32:48 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA21953 for current-outgoing; Tue, 21 May 1996 12:32:48 -0700 (PDT) Received: from apocalypse.superlink.net (root@apocalypse.superlink.net [205.246.27.150]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id MAA21945 for ; Tue, 21 May 1996 12:32:42 -0700 (PDT) Received: (from marxx@localhost) by apocalypse.superlink.net (8.7.5/8.7.3) id LAA01779; Tue, 21 May 1996 11:41:48 -0400 (EDT) Date: Tue, 21 May 1996 11:41:48 -0400 (EDT) From: "Charles C. Figueiredo" To: "Brett L. Hawn" cc: current@FreeBSD.ORG Subject: Re: freebsd + synfloods + ip spoofing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-current@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk "I don't want to grow up, I'm a BSD kid. There's so many toys in /usr/bin that I can play with!" ------------------------------------------------------------------------------ Charles C. Figueiredo Marxx marxx@superlink.net ------------------------------------------------------------------------------ On Tue, 21 May 1996, Brett L. Hawn wrote: > On Mon, 20 May 1996, Charles C. Figueiredo wrote: > > > Using DES as a random number generator would be excellent, but might > > not be quick enough. It was rather nicely discussed in a IP spoofing and > > TCP sequence prediction paper I read. Being easy to syn flood + spoof has > > not much to do when it comes to FreeBSD vs. Linux, after 1.3.7x I believe > > a patch isn't even needed to spoof an IP packet. Let's face it, it would > > be somewhat silly to attempt to disallow IP packet spoofing, all you're > > doing it manually building a IP header, and sending it away. Traceroute > > and the such need to generate their own headers. Besides, unless your > > clueless losers and lame crackers gain root, they can't open raw sockets. > > Most spoofing/sequencing/hijacking attempts an experiments are from people > > with individual workstations, connected, not users on a server. > > Practically all Unices are easy to syn flood + spoof on, ok, it only takes > > 8 requests to hose, but that's irrelevant. The problem doesn't lye in how > > quickly, it's that it occurs. The problem shouldn't be delt with on the > > client side, but on the server side. > > > The problem lies in the fact that 1: not all OS's are easily synfloodable, > seeing as not all OS's are easily sequences like fbsd is. 2: as the net All OS's, that have real TCP implementations, are syn floodable at the moment. > grows more and more 'lusers' are running linux/fbsd/etc at home on a PPP > link and therefore have root privs and can open a raw socket. 'Spoofing > Warez' as they're known are becoming more and more prevalent on certain > parts of IRC and its to the point now where the person spoofing you doesn't > even have to know what they're doing, all they do is fill out a basic > formula of command line arguments and *poof* they're you. > > For kicks some time ago I built a spoofer and I can tell you this much, > creating at least a pseudo-random number generator for sequencing will stop > a large # of the spoofers. > > Brett > >