On Fri, 13 Sep 1996, John Stumbles wrote:
> My (probably flawed :) understanding is that the trick to the SYN attack
> is that because the source address is unreachable (a reachable host would
> respond with a RST) the TCP layer keeps waiting, tying up resources in the
> kernel, and succumbing to the attack. (How am I doing so far?)
If the SYNs come fast enough, even waiting for RSTs will make the flood
success, as the SYNs just have to come from closer than the RSTs, and they
get there first.
>
> Why does it do this? If the IP layer 'knows' the source is unreachable
> (because its SYN/ACK gets an ICMP unreachable back) couldn't it pass the
> message up to the TCP layer and then TCP could abort the connection
> attempt, free up its reources, and stay in business?
You won't always get ICMP back, some of us put legitimate hosts behind
firewalls that won't give you the pleasure of finding out which addresses
are open for attack. You'd also leave yourself open to ICMP host
unreachable/network unreachable Denial Of Service attacks.
Just my shilling's worth,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
References:
|
|
