Great Circle Associates Firewalls
(September 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Improving Solaris resistance to syn attacks
From: Karl Strickland <karl @ bagpuss . demon . co . uk>
Date: Sun, 22 Sep 1996 00:24:49 +0100 (BST)
To: Geoff Mulligan <geoff @ mulligan . com>
Cc: Bill @ husler . xo . com, firewalls @ greatcircle . com
In-reply-to: <199609212219 . QAA06048 @ future . mulligan . com> from "Geoff Mulligan" at Sep 21, 96 04:19:39 pm 
> > One problem is that the source address in these fake SYN packets cant be
> > trusted; so its easy to fake an address that the target is likely to have
> > an existing connection.  (granted there would be some guess work involved!)
> 
> Actually if they happen to send the segment with a source address of
> someone your system recently had a connection with this is a problem
> since when you send a syn:ack packet you'll likely get a reset which
> will clear the connection.

right, but the attacker would presumably flood the souce port on the faked
source machine with SYN's also so it will not send RST's.  as i understand
it, this is where this SYN attack business originated from - ie as part of
the process to spoof IP addresses.

> The problem is when the source is a
> non-exitant system and the machine being attacked has to queue up and
> wait for the timeout period before dropping the connection request.
> I've already implemented a portion of maintaining a list of recent
> "established" connections for just this purpose.

yep

> 
> > Another problem is this requires kernel changes and most people dont have
> > Solaris kernel source.  Maybe you can wrap the functions you need in the
> > kernel, but somehow I doubt it.
> 
> No this doesn't require kernel modificaitons, at least not my
> implementation for Solaris.  It is done through the same mechanisms that
> ndd and netstat use to query the kernel for information and set these
> tcp connection variables (and on Solaris 2.5.1 it is even a bit
> simpler).

i think we have crossed wires!  i understand its easy to change the value
of a kernel tuneable variable the same way ndd does.  but you cant change
the way the kernel processes incoming connections without kernel mods.
ie, you cant have it use one value of a timeout variable for connections from
W.X.Y.Z and a different value from A.B.C.D which is what I understood Bill
was suggesting.  Or can you?!

Cheers,
Karl
-- 
------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD               |                    Karl Strickland
PGP 2.3a Public Key Available.            | Internet: karl @
 bagpuss .
 demon .
 co .
 uk
                                          |
References:
Indexed By Date Previous: Re: viruswalls & firewalls
From: David Harley <harley @ icrf . icnet . uk>
Next: Re: Source Routing
From: Chris Lonvick <clonvick @ cisco . com>
Indexed By Thread Previous: Re: Improving Solaris resistance to syn attacks
From: Geoff Mulligan <geoff @ mulligan . com>
Next: IP spoofing
From: Andrea Brenton <abrenton @ hurwitz . com>
Google
 
Search Internet Search www.greatcircle.com