Bugtraq mailing list archives
Re: denial of service attack possible
From: nlawson () statler csc calpoly edu (Nathan Lawson)
Date: Fri, 27 Oct 1995 13:19:02 -0700
I posted this to sun-managers, but it has some nasty consequences if deliberately exploited. If anyone has any more info, or ideas for a fix, please let me know. netstat -an indicated: Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 205.164.146.26.80 146.94.1.2.2972 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2763 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2762 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2612 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2611 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2610 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2609 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2541 SYN_RCVD tcp 0 0 *.80 *.* LISTEN It concerns me that one remote site can so easily completely block all incoming tcp/ip connections on a port. Is this a kernel bug, or something I can take some measure to prevent on this end?
Yes, a remote site can block connections to a port in that manner. It isn't a kernel or http bug, but just a general decision made in the networking code for BSD. The problem it addressed was what to do with initial SYN's that haven't been ACK'd. There are several things that can be done in such a situation. First, the kernel can keep a queue of connection requests and process them in a FIFO manner. It would respond with a RST for any more incoming connections that showed up while its queue was full. Unfortunately, this doesn't fit the goal of an RST which was designed to deal with permanent errors, not possible temporary conditions like a busy machine. Instead, the designers chose to drop newer requests silently. The old requests time out after about 90 seconds. They expected the client's application to timeout and resend the connection request. This doesn't address direct d.o.s. attacks, though. I think that Solaris's tcp_eager_listeners option could be used to allow your application to process connection requests before the complete 3-way handshake. Other than that, it's up to you whether you want to violate RFC's and perhaps break other things by dropping connection requests from the queue faster or limiting the number of requests from one machine. Good luck, Nate
Current thread:
- s-bits disappear ?, (continued)
- s-bits disappear ? Bernd Lehle (Oct 11)
- Re: s-bits disappear ? Neil Readwin (Oct 12)
- Sun's Loadmodule Patch Neil Woods (Oct 18)
- FW: WinNews Special Issue Scott Chasin (Oct 22)
- SunOS 5.5 Beta Aleph One (Oct 24)
- denial of service attack possible Mark Thomas (Oct 26)
- Re: denial of service attack possible Darren Reed (Oct 27)
- Re: denial of service attack possible Darrell Fuhriman (Oct 27)
- Re: denial of service attack possible Tom Fitzgerald (Oct 27)
- Re: denial of service attack possible Michael R. Widner (Oct 27)
- Re: denial of service attack possible Nathan Lawson (Oct 27)