Re: Naptha - New DoS

[Damian Menscher <menscher () uiuc edu>]

On Fri, 8 Dec 2000, rpc wrote:
> On Fri, 8 Dec 2000 02:44:23 -0500, White Vampire said:
> > On Thu, Dec 07, 2000 at 06:49:12PM +0100, Carl-Johan Bostorp(ctor () krixor xy  org) wrote:
> >  > Hmm.. Maybe I didn't read it close enough, but isn't what it does that it
> >  > just opens a bunch of TCP connections w/o keeping a local state?? ... The
> >  > only new thing I see is that it's been implemented and publicized.. But it
> >  > doesn't really matter..
> >
> >     It involves some 'spoofing' too, so to speak.  So the
> >  originating host does not complete the handshake, thus not being
> >  affected.
>
> On reading the Razor advisory, it seems the attack involves spoofing as well as
> sniffing.
> There is a daemon running on a machine on the same LAN as the victem, which
> listens for the spoofed SYN packets, and the SYN/ACK reply from the victem.
> The sniffing daemon then forges the last ACK of the handshake, from the spoof
> to the victem.        Thus the victem thinks the TCP connection is ESTABLISHED and
> legitmate.  Repeat.

Not exactly.  True, both spoofing and sniffing are involved.  But the
machine does NOT need to be on the same LAN as the victim, and it does
not have to listen for spoofed SYN packets.  It can be on any network
(the network the spoofed IP would be on IF it existed).

Now for a question: the effectiveness of the attack comes from the fact
that the attacker doesn't need to store the state.  Why not just allow
the second machine to actually exist, but not store the state?  Saves
effort from sniffing, though it does make it easier to find and shut
down.....

Damian Menscher
--
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscher () uiuc edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--