From owner-freebsd-net Sat Oct 20 12:17:19 2001 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 6C58637B405 for ; Sat, 20 Oct 2001 12:17:15 -0700 (PDT) Received: (qmail 63978 invoked by uid 1000); 20 Oct 2001 19:17:12 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Oct 2001 19:17:12 -0000 Date: Sat, 20 Oct 2001 14:17:12 -0500 (CDT) From: Mike Silbersack To: Fernando Gont Cc: Subject: Re: SYN flood and IP spoofing In-Reply-To: <4.3.2.7.2.20011020101858.00d984e0@mail.sitanium.com> Message-ID: <20011020140704.R63640-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 20 Oct 2001, Fernando Gont wrote: > Hi! > > I've read some explanations about the SYN flood DoS attack. > I understand that when the attacker fills the listening queue of the > attacked host with incomplete connections, the attacked host will not > reply to any SYN it receives after that. That's an old explanation; basically any OS released in the last few years will throw old/random connections out of the queue when it fills up. What you actually describe here is more "spoofing" than a syn flood; a syn flood just involves blasting large numbers of syn packets at someone, with no intent of actually spoofing a connection. When Mitnick / anyone else did spoofing, it was through weaknesses in the algorithm used to generate initial sequence numbers, not through simple brute force. (I'm assuming that's how Mitnick did it; I'm not aware that he has revealed exactly how he did anything, and I doubt I'd trust him even if he did explain.) > However, I don't understand why it will not even reply with an RST > when it receives a SYN-ACK from other machine. In the general case of spoofing, you could ensure that a syn-ack does not elicit a rst by spoofing the IP of a nonexistant host. I've also read that older tcp stacks could be caused to stop emitting packets by filling their SYN queue; I'm not sure when that stopped applying. These days, spoofing really isn't a concern; those looking to find a way into a system wouldn't gain anything by spoofing and would instead look for a buffer overflow to exploit. Syn floods are alive and well, though. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message