yes, in some 3-5 min after my initial message I was pointed
to the sequence number problem by Andrew Finkenstadt in a private
e-mail, and yes -- I think that staying in a loop, while
connection goes on, and continuing sequence-number spoofing
is how a hypothetical "spoofer-buffer" device should behave.
(We know some attacks based on sequence numbers -- this would
be kinda of counter-attack on the same principle. :)
CPUs are damn fast and cheap today; so I think if one has already
jumped into this game, sequence number spoofing won't be a big
problem, and Yes just any proxy-based firewall does this already.
On 13 Sep 1996, Steve Simmons wrote:
> This also reduces the problem set somewhat. The spoofer is now merely
> a modified firewall with an incredible capacity to accept SYNs and a
> modified algorithm of when to discard unresolved ones. IMHO, something
> on the order of five seconds capacity with a LRU discard is more than
Oh no, for a pity... you guys think everyone uses 45Mbps?
what about 26400 bps SLIP over 2LL -- and this still _is_ a
generic IP highway in Ukraine this days. "Generic" BSD's
75 seconds timout is a bit large, but 30-40 seconds at least...
> It should be configurable as well, so the attacked site
> can increase the number of pending opens if needed -- as their bandwidth
> increases, so does the number of SYNs in a second.
> It still does nothing to detect the attacker, but IMHO the immediate
> problem is preventing the attack from hosing you.
Unfortunately an attacker might be detectable _only_
if (or "when") all ISPs will have address forgery forbidden
for _all their own customers_. I don't expect this to happen