North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: tcp,guardent,bellovin
In message <[email protected]>, [email protected] vt.edu writes: > >On Mon, 12 Mar 2001 18:09:32 EST, "Richard A. Steenbergen" said: >> And since the "victim" will have the current sequence number for inbound >> data, what would keep it from (correctly) sending an RST and tearing down >> this false connection? > >And THAT my friends, was the *original* purpose for a TCP SYN flood - it >wasn't to DOS the victim, it was to DOS a machine *trusted by* the victim >so you could forge a connection and NOT get nailed by an RST. > >I'm sure that Steve Bellovin can point us at the original discussion >of this, which was *ages* ago. I remember hearing that Kevin Mitnick >used that (in addition to other tricks) against Shimomura's machines >and thinking "Hmm.. so it's *not* just a theoretical attack anymore..." > > More or less. When doing a sequence number guessing attack, one of the problems faced by the attacker is preventing the spoofed machine from replying with an RST to the SYN+AC for a connection it knows nothing about. Morris's original version used a low-rate SYN flood that exploited a bug in the BSD kernel to effectively gag a low-numbered port. His paper can be found at ftp://ftp.research.att.com/dist/internet_security/117.ps.Z This isn't the same weakness that was exploited by the early SYN floods, but it took advantage of the same limit on half-open connections. --Steve Bellovin, http://www.research.att.com/~smb
|