From owner-freebsd-security  Sat Sep  7 10:40:10 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id KAA22480
          for security-outgoing; Sat, 7 Sep 1996 10:40:10 -0700 (PDT)
Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA22467
          for <freebsd-security@freebsd.org>; Sat, 7 Sep 1996 10:40:06 -0700 (PDT)
Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id TAA00349; Sat, 7 Sep 1996 19:39:55 +0200
Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id TAA00417; Sat, 7 Sep 1996 19:39:38 +0200
Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Beta.1/keltia-uucp-2.9) id TAA10976; Sat, 7 Sep 1996 19:38:29 +0200 (MET DST)
Message-Id: <199609071738.TAA10976@keltia.freenix.fr>
Date: Sat, 7 Sep 1996 19:38:29 +0200
From: roberto@keltia.freenix.fr (Ollivier Robert)
To: freebsd-security@freebsd.org (FREEBSD-SECURITY-L), BUGTRAQ@NETSPACE.ORG
Subject: Re: Panix Attack: synflooding and source routing?
In-Reply-To: <Pine.NEB.3.92.960907114113.240B-100000@zap.io.org>; from Brian Tao on Sep 7, 1996 11:44:18 -0400
References: 	<Pine.NEB.3.92.960907114113.240B-100000@zap.io.org>
X-Mailer: Mutt 0.42
Mime-Version: 1.0
X-Operating-System: FreeBSD 2.2-CURRENT ctm#2415
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

According to Brian Tao:
>     Wouldn't turning off source-routing on your border router
> alleviate most of this problem?  It won't help if you have someone
> synflooding a port from within your network, but at least it would
> prevent outside attacks.  

The attack doesn't seem to have source routing in it. Source addresses in
the packets are random that's all.

> Or is this a "one-way" attack (i.e., a return route to host is not
> needed)?

It is.

SYN-flooding cannot really be prevented as far as I know. The attack lies
in the fact that TCP/IP stacks must way for a timeout (2MSL) if there is no
ACK in answer to the SYN,ACK the target sent.

        attacker  -------- SYN -----------> target
        SYN_SENT 
                 <-------- SYN, ACK ------  SYN_RCVD
                  -------- FIN -----------> 

As the connection never completes, these half-open are not logged in any
way. They are also used for port scanning.

> >   For those who are IP hackers, the problem is that we're being flooded
> >   with SYNs from random IP addresses on our smtp ports. We are getting
> >   on average 150 packets per second (50 per host).

The target resources will be fast exhausted by that kind of attack... 
-- 
Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 2.2-CURRENT #20: Fri Aug 30 23:00:02 MET DST 1996