Date: Wed, 22 May 1996 19:52:27 -0400 (EDT) From: "Charles C. Figueiredo" <marxx@apocalypse.superlink.net> To: Terry Lambert <terry@lambert.org> Cc: "Brett L. Hawn" <blh@nol.net>, pst@Shockwave.COM, wollman@lcs.mit.edu, phk@critter.tfs.com, current@FreeBSD.ORG Subject: Re: freebsd + synfloods + ip spoofing Message-ID: <Pine.BSF.3.91.960522194508.204A-100000@apocalypse.superlink.net> In-Reply-To: <199605230326.UAA06229@phaeton.artisoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 22 May 1996, Terry Lambert wrote:
> > > The problem doesn't lies in the sequence generator, the problem lies
> > > in the fact that any 4.{3.4}BSD derived OS gets hosed up by 8 SYN packets
> > > from an unreachable host, that's all, 8. That's why, as you notice,
> > > SunOS affected too. What I've been trying to say is that nothing is
> > > wrong with the generator, as compared to other OSs, FreeBSD's is
> > > actually better! The problem is that FreeBSD, as other BSD OSs, only
> > > takes 8 SYN packets from an unreachable host to hose.
> >
> > Ok, so now we have two problems, 1: it only takes 8 syn's to hose fbsd 2: an
> > easy to guess sequence generator. My guess is that #1 would be easier to
> > avoid if #2 were fixed.
>
> Avoidance is a non-fix. Both really need to be fixed.
>
> Some general comments on this thread:
>
> The BSD problem is that the sequence number is randomized at the start
> of life and rather regularly guessable from there.
The, just as important, problem is that BSD hoses easily, if it
weren't so easily hosed, any type of sequencing attack wouldn't work.
>
> I'm also not so thin-skinned as to believe that any criticism of
> FreeBSD is calling the baby ugly.
FreeBSD is definitely not ugly ;-)
>
> IRC aside, it's wrong to dismiss Brett's points on the basis of
> religion. As Sgt. Pinback said to the Bomb, an idea is valid or
> invalid independent of its source.
>
> Personnally, I wouldn't be so casual dismissing the source; but
> even if you casually dismiss the source, the idea can not be so
> easily dismissed.
>
I'm not dismissing the source, I'm all for making it as secure as
possible, but if you think aobut it, you can't really do anything w/
sequencing anymore. As long as you use tcp wrappers, which everyone
should use, and you mind your r* services, all that can be done is a
blind telnet to a horribly secured system. Even maintaining a telnet is
hard. Most sequencing applications have been tricking port 513. It should
still be fixed though.
> Brett wants to make it better; don't shoot him in the head for
> bearing bad tidings because they are bad tidings.
>
I want to, by all means, make it better, I began "shooting the head"
after I found some of his post somewhat offending and lame. I don't want
to drag this on any further, if I offended Brett in anyway, sorry, just
end it, it's been silly for a while now.
_Marxx
>
> Regards,
> Terry Lambert
> terry@lambert.org
> ---
> Any opinions in this posting are my own and not those of my present
> or previous employers.
>
"I don't want to grow up, I'm a BSD kid. There's so many toys in /usr/bin
that I can play with!"
------------------------------------------------------------------------------
Charles C. Figueiredo Marxx marxx@superlink.net
------------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960522194508.204A-100000>