Bugtraq mailing list archives

Re: denial of service attack possible

From: nlawson () statler csc calpoly edu (Nathan Lawson)
Date: Fri, 27 Oct 1995 13:19:02 -0700

I posted this to sun-managers, but it has some nasty consequences if deliberately
exploited.  If anyone has any more info, or ideas for a fix, please let me know.

netstat -an indicated:
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp        0      0  205.164.146.26.80      146.94.1.2.2972        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2763        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2762        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2612        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2611        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2610        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2609        SYN_RCVD
tcp        0      0  205.164.146.26.80      146.94.1.2.2541        SYN_RCVD
tcp        0      0  *.80                   *.*                    LISTEN

It concerns me that one remote site can so easily completely block all
incoming tcp/ip connections on a port.  Is this a kernel bug, or something
I can take some measure to prevent on this end?


Yes, a remote site can block connections to a port in that manner.  It isn't
a kernel or http bug, but just a general decision made in the networking
code for BSD.  The problem it addressed was what to do with initial SYN's that
haven't been ACK'd.

There are several things that can be done in such a situation.  First, the
kernel can keep a queue of connection requests and process them in a FIFO
manner.  It would respond with a RST for any more incoming connections that
showed up while its queue was full.  Unfortunately, this doesn't fit the
goal of an RST which was designed to deal with permanent errors, not possible
temporary conditions like a busy machine.

Instead, the designers chose to drop newer requests silently.  The old
requests time out after about 90 seconds.  They expected the client's
application to timeout and resend the connection request.

This doesn't address direct d.o.s. attacks, though.  I think that Solaris's
tcp_eager_listeners option could be used to allow your application to process
connection requests before the complete 3-way handshake.  Other than that,
it's up to you whether you want to violate RFC's and perhaps break other things
by dropping connection requests from the queue faster or limiting the number
of requests from one machine.

Good luck,
Nate

Current thread:

Re: denial of service attack possible Nathan Lawson (Oct 27)
- Re: denial of service attack possible Darren Reed (Oct 28)
- Re: denial of service attack possible Neil Readwin (Oct 30)
- <Possible follow-ups>
- Re: denial of service attack possible Casper Dik (Oct 29)
- Re: denial of service attack possible System Administrator (Oct 30)
- Re: denial of service attack possible John Stewart (Oct 31)
- Re: denial of service attack possible der Mouse (Nov 01)