Re: Naptha - New DoS

[rpc <h () ckz org>]

On Fri, 8 Dec 2000 02:44:23 -0500, White Vampire said:

> On Thu, Dec 07, 2000 at 06:49:12PM +0100, Carl-Johan Bostorp(ctor () krixor xy  org) wrote:
>  > Hmm.. Maybe I didn't read it close enough, but isn't what it does that it
>  > just opens a bunch of TCP connections w/o keeping a local state?? ... The
>  > only new thing I see is that it's been implemented and publicized.. But it
>  > doesn't really matter..
>
>       It involves some 'spoofing' too, so to speak.  So the
>  originating host does not complete the handshake, thus not being
>  affected.

On reading the Razor advisory, it seems the attack involves spoofing as well as
sniffing.
There is a daemon running on a machine on the same LAN as the victem, which
listens for the spoofed SYN packets, and the SYN/ACK reply from the victem.
The sniffing daemon then forges the last ACK of the handshake, from the spoof
to the victem.  Thus the victem thinks the TCP connection is ESTABLISHED and
legitmate.  Repeat.


>       Regardless, I am not really sure what the problem is.  So what
>  if it is an old concept.  So what if it has been discussed to death.  Is
>  this not worth fixing?  This is /not/ a good thing.
>
>  > I never mentioned inetd. Use xinetd as wrapper for other daemons like ssh
>  > and you no longer have to worry about ssh being attacked.
>
>       Ah, my error.
>
>  Regards,
>  --
>      __      ______   ____
>     /  \    /  \   \ /   / White Vampire\Rem
>     \   \/\/   /\   Y   /  http://www.gammagear.com/ (Gear for the BOFH!)
>      \        /  \     /   http://www.webfringe.com/
>       \__/\  /    \___/    http://www.gammaforce.org/
>            \/ "Silly hacker, root is for administrators."