Bugtraq mailing list archives
Re: denial of service attack possible
From: nlawson () statler csc calpoly edu (Nathan Lawson)
Date: Fri, 27 Oct 1995 13:19:02 -0700
I posted this to sun-managers, but it has some nasty consequences if deliberately exploited. If anyone has any more info, or ideas for a fix, please let me know. netstat -an indicated: Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 205.164.146.26.80 146.94.1.2.2972 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2763 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2762 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2612 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2611 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2610 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2609 SYN_RCVD tcp 0 0 205.164.146.26.80 146.94.1.2.2541 SYN_RCVD tcp 0 0 *.80 *.* LISTEN It concerns me that one remote site can so easily completely block all incoming tcp/ip connections on a port. Is this a kernel bug, or something I can take some measure to prevent on this end?
Yes, a remote site can block connections to a port in that manner. It isn't a kernel or http bug, but just a general decision made in the networking code for BSD. The problem it addressed was what to do with initial SYN's that haven't been ACK'd. There are several things that can be done in such a situation. First, the kernel can keep a queue of connection requests and process them in a FIFO manner. It would respond with a RST for any more incoming connections that showed up while its queue was full. Unfortunately, this doesn't fit the goal of an RST which was designed to deal with permanent errors, not possible temporary conditions like a busy machine. Instead, the designers chose to drop newer requests silently. The old requests time out after about 90 seconds. They expected the client's application to timeout and resend the connection request. This doesn't address direct d.o.s. attacks, though. I think that Solaris's tcp_eager_listeners option could be used to allow your application to process connection requests before the complete 3-way handshake. Other than that, it's up to you whether you want to violate RFC's and perhaps break other things by dropping connection requests from the queue faster or limiting the number of requests from one machine. Good luck, Nate
Current thread:
- Re: denial of service attack possible Nathan Lawson (Oct 27)
- Re: denial of service attack possible Darren Reed (Oct 28)
- Re: denial of service attack possible Neil Readwin (Oct 30)
- <Possible follow-ups>
- Re: denial of service attack possible Casper Dik (Oct 29)
- Re: denial of service attack possible System Administrator (Oct 30)
- Re: denial of service attack possible John Stewart (Oct 31)
- Re: denial of service attack possible der Mouse (Nov 01)