Date: Sat, 7 Sep 1996 11:43:14 -0700 (PDT) From: Mike Tsirulnikov <mt@cns.ucla.edu> To: Ollivier Robert <roberto@keltia.freenix.fr> Cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>, BUGTRAQ@NETSPACE.ORG Subject: Re: Panix Attack: synflooding and source routing? Message-ID: <Pine.A32.3.91.960907114109.21221A-100000@quark.cns.ucla.edu> In-Reply-To: <199609071738.TAA10976@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Why don't you move your mail gateway to another machine or change the identity of the current one? I am just wondering... Mike On Sat, 7 Sep 1996, Ollivier Robert wrote: > Date: Sat, 7 Sep 1996 19:38:29 +0200 > From: Ollivier Robert <roberto@keltia.freenix.fr> > To: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>, > BUGTRAQ@NETSPACE.ORG > Subject: Re: Panix Attack: synflooding and source routing? > > According to Brian Tao: > > Wouldn't turning off source-routing on your border router > > alleviate most of this problem? It won't help if you have someone > > synflooding a port from within your network, but at least it would > > prevent outside attacks. > > The attack doesn't seem to have source routing in it. Source addresses in > the packets are random that's all. > > > Or is this a "one-way" attack (i.e., a return route to host is not > > needed)? > > It is. > > SYN-flooding cannot really be prevented as far as I know. The attack lies > in the fact that TCP/IP stacks must way for a timeout (2MSL) if there is no > ACK in answer to the SYN,ACK the target sent. > > attacker -------- SYN -----------> target > SYN_SENT > <-------- SYN, ACK ------ SYN_RCVD > -------- FIN -----------> > > As the connection never completes, these half-open are not logged in any > way. They are also used for port scanning. > > > > For those who are IP hackers, the problem is that we're being flooded > > > with SYNs from random IP addresses on our smtp ports. We are getting > > > on average 150 packets per second (50 per host). > > The target resources will be fast exhausted by that kind of attack... > -- > Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 2.2-CURRENT #20: Fri Aug 30 23:00:02 MET DST 1996 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.A32.3.91.960907114109.21221A-100000>