Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Excellent host SYN-attack fix for BSD hosts

From: stevek () io360 com (Steve Kann)
Date: Tue, 15 Oct 1996 16:41:57 -0400


| It also breaks "naked SYN" filtering which is commonly employed as a way
| to let established connections through without much effort and filter only
| those TCP packets that have a SYN.
| (Stuff like Cisco's establised keyword)

this would require either:
        guessing the systems secret (128 bits)
                very unlikely

        inverting md5
                I won't say it is impossible, but it is hard

        sending lots and lots of packets until we get a connection
                the odds are no better/worse than any other attack
                based on guessing at seq. numbers

                guessing at a rate of 100 packets/sec it will require,
                on average, 3 days. few 2600 readers have this patience.


3 days of letting a program rip doesn't seem like much price to pay for
being able to subvert a packet filter rule.  This is what has scared me
about this solution from the outset.  Am I missing something, or are we
setting ourselves up to exchange a DOS condition for something worse?

-SteveK
Previous By Date Next
Previous By Thread Next

Current thread: