Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 22 May 1996 13:42:16 -0400 (EDT)
From:      "Charles C. Figueiredo" <marxx@apocalypse.superlink.net>
To:        "Brett L. Hawn" <blh@nol.net>
Cc:        Paul Traina <pst@Shockwave.COM>, Garrett Wollman <wollman@lcs.mit.edu>, Poul-Henning Kamp <phk@critter.tfs.com>, current@FreeBSD.ORG
Subject:   Re: freebsd + synfloods + ip spoofing 
Message-ID:  <Pine.BSF.3.91.960522133846.3698F-100000@apocalypse.superlink.net>
In-Reply-To: <Pine.SOL.3.93.960522162030.15887A-100000@dazed.nol.net>
next in thread | previous in thread | raw e-mail | index | archive | help 



On Wed, 22 May 1996, Brett L. Hawn wrote:

> On Wed, 22 May 1996, Charles C. Figueiredo wrote:
> 
> > > So we're to say 'well, they're wrong so its ok for us to be' ? I think not
> > > 
> > > Brett
> > > 
> > > 
> > 	Of course not! The only point I was touching on, is the fact that 
> > you were wrong in making FreeBSD's implementation seem archaic and 
> > extremely insecure in comparison to others. Which it isn't.
> 
> I disagree, considering all the testing I've done in the last few days with
> sequencing and synfloods I'd have to say fbsd is the all around loser in
> this category. I've tested the following OS's for ease of sequence guessing,
> guess which one was by far the easiest to screw with:
> 
> FreeBSD
> Linux
> HP-UX
> Solaris 2.4
> Solaris 2.5
> Solaris 2.4x86
> Solaris 2.5x86
> SunOS 4.1.1
> SunOS 4.1.3 (note that SunOS was pretty easy to fuck over as well)
> Irix
> BSDi 2.0
> AIX (version unknown)
> UnixWare 2.3
> 
> and at least 2 others which I don't recall off hand
> 
> Of all of these the FreeBSD and the SunOS machines were incredibly easy to
> hose up by guessing their tcp sequences, the others took on the average of
> 10 tries apiece to get even close. 

	The problem doesn't lies in the sequence generator, the problem lies 
in the fact that any 4.{3.4}BSD derived OS gets hosed up by 8 SYN packets 
from an unreachable host, that's all, 8. That's why, as you notice, 
SunOS affected too. What I've been trying to say is that nothing is 
wrong with the generator, as compared to other OSs, FreeBSD's is 
actually better! The problem is that FreeBSD, as other BSD OSs, only 
takes 8 SYN packets from an unreachable host to hose.

 

> 
> Brett
> 
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960522133846.3698F-100000>