|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SYN floods (was: does history repeat itself?)
> On my private network I can send 600 or more SYN packets to my telnet port > (w/faked, unreachable source addresses + random seq numbers), yet the > port doesn't seem to be flooded. > > It's a linux box. > > The telnet daemon seems to be able to tell the difference between a faked > packet and a real one. Even when spoofing from localhost, it reports a > connection from unknown. > > Obviously, there seems to be a solution to this problem. ?? > > -- > Billy Biggs > Ottawa, Canada Nope; it's just that when the kernel on your linux box responds to the SYN, the machine you're doing it from says "RST" and the SYN leaves the "incompleted-connections" listen queue for the socket you're attacking. If you forge random IP source addresses, those packets won't go away and whatever you're pounding on will be hosed until a) 75 seconds (or whatever the timer is set to) expires, or b) you kill and restart the service in question. Avi - - - - - - - - - - - - - - - - -
|