AV/FW Adoption Sudies
Steven M. Bellovin
smb at research.att.com
Thu Jun 10 19:41:24 UTC 2004
In message <200406101919.i5AJJVUM000657 at turing-police.cc.vt.edu>, Valdis.Kletni
eks at vt.edu writes:
Actually, it was Morris, not me, who first pointed it out.
>
>Data point: When did Steve Bellovin point out the issues with non-random
>TCP ISNs? When did Mitnick use an exploit for this against Shimomura?
>
>And now ask yourself - when did we *first* start seeing SYN flood attacks (whi
>ch
>were *originally* used to shut the flooded machine up while and prevent it
>from talking while you spoofed its address to some OTHER machine?)
>
That's not quite correct. While flooding can work, Morris found an
implementation bug that made it easier to gag the alleged source. I'd
have to spend a while trying to figure out the exact details; roughly,
though, you picked a port on which the alleged source was in LISTEN
state, created enough half-open connections to fill its queue, and then
used that port (in the privileged range) in launching your spoofing
attack on the real victim. The SYN+ACK packets would be dropped,
rather than eliciting an RST, because they appeared to be SYNs for a
service with a full queue. The difference is is that this scheme takes
many fewer packets than a SYN flood -- 5, back in 1985 when the attack
was published -- and works very reliably, with no statistical
dependencies. That bug has long-since been fixed on just about
everything out there, but in the mean time we've seen lots more ways to
take hosts off the air...
--Steve Bellovin, http://www.research.att.com/~smb
More information about the NANOG
mailing list