North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
Nevermind..... I've been working on the non-random attack first.... I apologize for wasting everyones time when the approach below does nothing for the random() attack. Staying up too late in the lab, I guess. Best Regards, Tim > > > Hi. > > I've been testing the SYN attack on with 'the patch' > with no success of stopping the attack so far with the > patch (right now, without the patch it is DoA and with the > patch, the attack panics the kernel :.... but this is more-than > likely an implementation issue that will be solved. > > However, I was thinking (dangerous, admittedly) that since > the success of the attack is based on using an UNREACHABLE > source address and the host under attack attempts to > ACK/SYN with the bogus attacker wouldn't it be easier to: > > Just have either (1) a listening daemon; (2) or an internal > flag in the kernel, (3) or some other better IPC, to notify > TCP, or better yet, IP to say: "Hey, there is a lot of > HOST UNREACHABLES going on here, and I don't like it" > algorithm to either (a) just filter the IP packets > at in the kernel IP code, (best IMO) (b) or do it > in the TCP code? > > This seems simple, so I must be missing something in this! > > Because, it seems to me, since the way to exploit TCP > is to use bogus, unreachable IP sources, why not use > this fact to let the kernal just filter itself under > certain flooding conditions? > > Please let me know why this will not work. > > Thanks, > > Tim > > > - - - - - - - - - - - - - - - - -
|