From owner-freebsd-security  Sat Jan 22  3:19:32 2000
Delivered-To: freebsd-security@freebsd.org
Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2])
	by hub.freebsd.org (Postfix) with ESMTP id 9B1AA155A5
	for <freebsd-security@FreeBSD.ORG>; Sat, 22 Jan 2000 03:19:05 -0800 (PST)
	(envelope-from vlad@sandy.ru)
Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id OAA67633; Sat, 22 Jan 2000 14:14:27 +0300 (MSK)
Date: Sat, 22 Jan 2000 14:14:29 +0300
From: Vladimir Dubrovin <vlad@sandy.ru>
X-Mailer: The Bat! (v1.36) S/N D33CD428
Reply-To: Vladimir Dubrovin <vlad@sandy.ru>
Organization: Sandy Info
X-Priority: 3 (Normal)
Message-ID: <1593.000122@sandy.ru>
To: Don Lewis <Don.Lewis@tsc.tdk.com>
Cc: Tim Yardley <yardley@uiuc.edu>, news@technotronic.com,
	bugtraq@securityfocus.com, freebsd-security@FreeBSD.ORG
Subject: Re[4]: explanation and code for stream.c issues
In-reply-To: <200001221058.CAA16745@salsa.gv.tsc.tdk.com>
References: <200001221058.CAA16745@salsa.gv.tsc.tdk.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello Don Lewis,

22.01.00 13:58, you wrote: explanation and code for stream.c issues;

D> } Intruder sends SYN packet and then sends, lets say 1000 ACK packets to
D> } the  same port from same port and source address. SYN packet will open
D> } ipfilter  to  pass  all  others  packets.  This  attack  doesn't  need
D> } randomization for each packet.

D> Instead of producing RST responses, this will produce ACKs. Your earlier
D> comment about this prompted my comment in another thread about the
D> possible need to rate limit ACK packets.

This  will  not  produce  ACK packets, if ACK send by intruder doesn't
conform  sequence  number  in the SYN/ACK response of victim. Original
stream.c used

    packet.tcp.th_ack           = 0;

i changed to

    packet.tcp.th_ack = random();
    for ACK packets.

But  it's  not  principial  - victim will reply RST for this packet in
most cases.


  +=-=-=-=-=-=-=-=-=+
  |Vladimir Dubrovin|
  | Sandy Info, ISP |
  +=-=-=-=-=-=-=-=-=+




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message