TCP SYN attacks - a simple solution
Avi Freedman
freedman at netaxs.com
Mon Oct 7 00:09:40 UTC 1996
> The idea has been floated before, and I believe it to be the right
> solution to this problem. However, I have some suggested improvements:
>
> 1. The use of a "per boot" secret number allows an attacker to
> poll your machine to deduce the secret, and then attack you with
> that knowledge.
>
> A solution to this problem is to use a rapidly changing secret, the
> pattern of which cannot be easily deduced, and a sliding window of
> acceptance. (If the hash doesn't match the current scheme, but matches
> the scheme we were using in the past N seconds, then accept the packet)
>
> The change interval needs to be short enough that, by the time an
> attacker has been able to compute the next number, the window for
> accepting that has closed.
I figure that if you steal 4 to 12 bytes for mss storage, 2^20 is still
enough possibilities that you can just rotate your secret every minutes
and test against the old one for 30 seconds...
> -matthew kaufman
> matthew at scruz.net
Yes.
> ps. I've been meaning to write this entire scheme, with the enhancements
> I propose here, as a draft specification, but I keep getting interrupted
> by flooded phone rooms and the like this weekend. *sigh*
Hopefully there will be a working implementation of this by week's end.
Jeff Weisberg has code which runs on sun3s and (soon, I hope) on other
Suns under SunOS.
This has always seemed to me to be the best way to do things, though an
OS patch to go to hashed-entry into arrays of PCBs is a definite win to
back-implement into SunOS (for example) in general.
Avi
More information about the NANOG
mailing list