From: Karl Strickland <karl @
> One problem is that the source address in these fake SYN packets cant be
> trusted; so its easy to fake an address that the target is likely to have
> an existing connection. (granted there would be some guess work involved!)
Actually if they happen to send the segment with a source address of
someone your system recently had a connection with this is a problem
since when you send a syn:ack packet you'll likely get a reset which
will clear the connection. The problem is when the source is a
non-exitant system and the machine being attacked has to queue up and
wait for the timeout period before dropping the connection request.
I've already implemented a portion of maintaining a list of recent
"established" connections for just this purpose.
> Another problem is this requires kernel changes and most people dont have
> Solaris kernel source. Maybe you can wrap the functions you need in the
> kernel, but somehow I doubt it.
No this doesn't require kernel modificaitons, at least not my
implementation for Solaris. It is done through the same mechanisms that
ndd and netstat use to query the kernel for information and set these
tcp connection variables (and on Solaris 2.5.1 it is even a bit