Re: tcp,guardent,bellovin

["Steven M. Bellovin" <smb () research att com>]

In message <200103122349.f2CNndk28613 () foo-bar-baz cc vt edu>, Valdis.Kletnieks@
vt.edu writes:
> On Mon, 12 Mar 2001 18:09:32 EST, "Richard A. Steenbergen" said:
> > And since the "victim" will have the current sequence number for inbound
> > data, what would keep it from (correctly) sending an RST and tearing down
> > this false connection?
>
> And THAT my friends, was the *original* purpose for a TCP SYN flood - it
> wasn't to DOS the victim, it was to DOS a machine *trusted by* the victim
> so you could forge a connection and NOT get nailed by an RST.
>
> I'm sure that Steve Bellovin can point us at the original discussion
> of this, which was *ages* ago.  I remember hearing that Kevin Mitnick
> used that (in addition to other tricks) against Shimomura's machines
> and thinking "Hmm.. so it's *not* just a theoretical attack anymore..."

More or less.  When doing a sequence number guessing attack, one of the 
problems faced by the attacker is preventing the spoofed machine from 
replying with an RST to the SYN+AC for a connection it knows nothing 
about.  Morris's original version used a low-rate SYN flood that 
exploited a bug in the BSD kernel to effectively gag a low-numbered 
port.  His paper can be found at
ftp://ftp.research.att.com/dist/internet_security/117.ps.Z
This isn't the same weakness that was exploited by the early SYN 
floods, but it took advantage of the same limit on half-open 
connections.

                --Steve Bellovin, http://www.research.att.com/~smb