Date: Sat, 7 Sep 1996 19:38:29 +0200 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@freebsd.org (FREEBSD-SECURITY-L), BUGTRAQ@NETSPACE.ORG Subject: Re: Panix Attack: synflooding and source routing? Message-ID: <199609071738.TAA10976@keltia.freenix.fr> In-Reply-To: <Pine.NEB.3.92.960907114113.240B-100000@zap.io.org>; from Brian Tao on Sep 7, 1996 11:44:18 -0400 References: <Pine.NEB.3.92.960907114113.240B-100000@zap.io.org>
next in thread | previous in thread | raw e-mail | index | archive | help
According to Brian Tao:
> Wouldn't turning off source-routing on your border router
> alleviate most of this problem? It won't help if you have someone
> synflooding a port from within your network, but at least it would
> prevent outside attacks.
The attack doesn't seem to have source routing in it. Source addresses in
the packets are random that's all.
> Or is this a "one-way" attack (i.e., a return route to host is not
> needed)?
It is.
SYN-flooding cannot really be prevented as far as I know. The attack lies
in the fact that TCP/IP stacks must way for a timeout (2MSL) if there is no
ACK in answer to the SYN,ACK the target sent.
attacker -------- SYN -----------> target
SYN_SENT
<-------- SYN, ACK ------ SYN_RCVD
-------- FIN ----------->
As the connection never completes, these half-open are not logged in any
way. They are also used for port scanning.
> > For those who are IP hackers, the problem is that we're being flooded
> > with SYNs from random IP addresses on our smtp ports. We are getting
> > on average 150 packets per second (50 per host).
The target resources will be fast exhausted by that kind of attack...
--
Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 2.2-CURRENT #20: Fri Aug 30 23:00:02 MET DST 1996
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609071738.TAA10976>