Excellent host SYN-attack fix for BSD hosts

• Previous message (by thread): Creating exchanges [Was: Re: MAE-East - 30%]
• Next message (by thread): Internet: Getting more money ...??
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've been running Jeff Weisberg's SunOS patches for a day now without
trouble on my news and web boxes.  He's come up with an implementation
of the not-going-into-the-SYN_SENT-or-SYN_RCVD state hack.  It appears
to be working fine.

No state is kept locally; when a SYN is received, an ISS is generated that
contains a few bits for reference into a table of MSS values; window size
and any initial data is discarded; and the rest of the ISS is the MD5 output
of a 32-byte secret and all of the interesting header info.

ftp.op.net:/pub/src/syn-prophylactica/

Has sun3 and sun4 patches (the sun4 patches work so far on sun4, sun4c,
and sun4m architectures).  The hypothetical-this-should-work-on-other-BSD-
based-systems source code in the 'net2-src' still hasn't actually been
tested, I think.

Tremendous thanks to Jeff for implementing what is still my favorite SYN
defense.

Hopefully Sun will incorporate this into their security announcement, which
basically says you're screwed if you run SunOS, though it does describe
how to increase the queue and decrease the SYN-holding timeout (if you 
have source...).   Object files that do that are still described at 
http://www.netaxs.com/~freedman/syn/, though I think the approach implemented
by Jeff is much better, and if you use that approach, increasing the queue
and decreasing the SYN-holding timeout are as useless as a command-line
interface on a Bay router.

Again, MANY thanks to Jeff.  

Avi

• Previous message (by thread): Creating exchanges [Was: Re: MAE-East - 30%]
• Next message (by thread): Internet: Getting more money ...??
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]