From owner-freebsd-security  Sun Feb 25 10:48:59 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id KAA11498
          for security-outgoing; Sun, 25 Feb 1996 10:48:59 -0800 (PST)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id KAA11487
          for <freebsd-security@FreeBSD.ORG>; Sun, 25 Feb 1996 10:48:51 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by rover.village.org (8.6.11/8.6.6) with SMTP id LAA18341; Sun, 25 Feb 1996 11:48:33 -0700
Message-Id: <199602251848.LAA18341@rover.village.org>
To: "Garrett A. Wollman" <wollman@lcs.mit.edu>
Subject: Re: Alert: UDP Port Denial-of-Service Attack (fwd) 
Cc: freebsd-security@FreeBSD.ORG
In-reply-to: Your message of Sun, 25 Feb 1996 13:21:16 EST
Date: Sun, 25 Feb 1996 11:48:33 -0700
From: Warner Losh <imp@village.org>
Sender: owner-security@FreeBSD.ORG
Precedence: bulk

: However, it is trivial to get the daytime service to ping-pong with
: the echo service.  Same thing for the chargen service (don't know what
: purpose that serves...)

True, I'd forgotten that part.  Chargen is for network testing.  The
original theory was to see if the UDP/TCP implementations are working.
It is a good thing for that, but not good enough for this latest
attack.

: > UDP is, at present, the only thing impacted.  It only takes one rogue
: > packet to set them jabbering at each other (which is one reason we
: > don't allow any IP packets with "src" of one of our netblock through
: > our firewall).
: 
: Of course, that doesn't help you if the forged source is on someone
: else's network...

That's why we also filter almost all inbound UDP messages as well :-)
I think we let in DNS packets, and that is about it.

: > I don't see how a TCP attack could succeed given the
: > three way handshake that is required by TCP to establish a connection.
: 
: Guess the Initial Sequence Number.  On old BSD systems, this was
: almost trivial.  On modern BSD systems, this is much more difficult.

I know that's how you make machine A think machine B is talking to it,
but how do you do both sides such that connections will be
established?  The initial three way handshake is assymetric.

Warner