From owner-freebsd-security  Sat Sep  7 11:43:31 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id LAA28699
          for security-outgoing; Sat, 7 Sep 1996 11:43:31 -0700 (PDT)
Received: from kodiak.ucla.edu (kodiak.ucla.edu [164.67.128.11])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA28692
          for <freebsd-security@freebsd.org>; Sat, 7 Sep 1996 11:43:28 -0700 (PDT)
Received: from quark.cns.ucla.edu (quark.cns.ucla.edu [164.67.62.18]) by kodiak.ucla.edu (8.7.4/8.6.9) with SMTP id LAA17964; Sat, 7 Sep 1996 11:43:14 -0700
Date: Sat, 7 Sep 1996 11:43:14 -0700 (PDT)
From: Mike Tsirulnikov <mt@cns.ucla.edu>
To: Ollivier Robert <roberto@keltia.freenix.fr>
cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>, BUGTRAQ@NETSPACE.ORG
Subject: Re: Panix Attack: synflooding and source routing?
In-Reply-To: <199609071738.TAA10976@keltia.freenix.fr>
Message-ID: <Pine.A32.3.91.960907114109.21221A-100000@quark.cns.ucla.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Why don't you move your mail gateway to another machine or
change the identity of the current one?

I am just wondering...

Mike
On Sat, 7 Sep 1996, Ollivier Robert wrote:

> Date: Sat, 7 Sep 1996 19:38:29 +0200
> From: Ollivier Robert <roberto@keltia.freenix.fr>
> To: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>,
>     BUGTRAQ@NETSPACE.ORG
> Subject: Re: Panix Attack: synflooding and source routing?
> 
> According to Brian Tao:
> >     Wouldn't turning off source-routing on your border router
> > alleviate most of this problem?  It won't help if you have someone
> > synflooding a port from within your network, but at least it would
> > prevent outside attacks.  
> 
> The attack doesn't seem to have source routing in it. Source addresses in
> the packets are random that's all.
> 
> > Or is this a "one-way" attack (i.e., a return route to host is not
> > needed)?
> 
> It is.
> 
> SYN-flooding cannot really be prevented as far as I know. The attack lies
> in the fact that TCP/IP stacks must way for a timeout (2MSL) if there is no
> ACK in answer to the SYN,ACK the target sent.
> 
>         attacker  -------- SYN -----------> target
>         SYN_SENT 
>                  <-------- SYN, ACK ------  SYN_RCVD
>                   -------- FIN -----------> 
> 
> As the connection never completes, these half-open are not logged in any
> way. They are also used for port scanning.
> 
> > >   For those who are IP hackers, the problem is that we're being flooded
> > >   with SYNs from random IP addresses on our smtp ports. We are getting
> > >   on average 150 packets per second (50 per host).
> 
> The target resources will be fast exhausted by that kind of attack... 
> -- 
> Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
> FreeBSD keltia.freenix.fr 2.2-CURRENT #20: Fri Aug 30 23:00:02 MET DST 1996
>