New Denial of Service Attack on Panix
Tim Bass
bass at cais.cais.com
Wed Oct 2 21:19:21 UTC 1996
Nevermind.....
I've been working on the non-random attack first.... I
apologize for wasting everyones time when the approach
below does nothing for the random() attack.
Staying up too late in the lab, I guess.
Best Regards,
Tim
>
>
> Hi.
>
> I've been testing the SYN attack on with 'the patch'
> with no success of stopping the attack so far with the
> patch (right now, without the patch it is DoA and with the
> patch, the attack panics the kernel :.... but this is more-than
> likely an implementation issue that will be solved.
>
> However, I was thinking (dangerous, admittedly) that since
> the success of the attack is based on using an UNREACHABLE
> source address and the host under attack attempts to
> ACK/SYN with the bogus attacker wouldn't it be easier to:
>
> Just have either (1) a listening daemon; (2) or an internal
> flag in the kernel, (3) or some other better IPC, to notify
> TCP, or better yet, IP to say: "Hey, there is a lot of
> HOST UNREACHABLES going on here, and I don't like it"
> algorithm to either (a) just filter the IP packets
> at in the kernel IP code, (best IMO) (b) or do it
> in the TCP code?
>
> This seems simple, so I must be missing something in this!
>
> Because, it seems to me, since the way to exploit TCP
> is to use bogus, unreachable IP sources, why not use
> this fact to let the kernal just filter itself under
> certain flooding conditions?
>
> Please let me know why this will not work.
>
> Thanks,
>
> Tim
>
>
>
More information about the NANOG
mailing list