OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: explanation and code for stream.c issues

Re: explanation and code for stream.c issues

Subject: Re: explanation and code for stream.c issues
From: Vladimir Dubrovin (vladSANDY.RU)
Date: Sat Jan 22 2000 - 05:14:29 CST

Hello Don Lewis,

22.01.00 13:58, you wrote: explanation and code for stream.c issues;

D> } Intruder sends SYN packet and then sends, lets say 1000 ACK packets to
D> } the same port from same port and source address. SYN packet will open
D> } ipfilter to pass all others packets. This attack doesn't need
D> } randomization for each packet.

D> Instead of producing RST responses, this will produce ACKs. Your earlier
D> comment about this prompted my comment in another thread about the
D> possible need to rate limit ACK packets.

This will not produce ACK packets, if ACK send by intruder doesn't
conform sequence number in the SYN/ACK response of victim. Original
stream.c used

    packet.tcp.th_ack = 0;

i changed to

    packet.tcp.th_ack = random();
    for ACK packets.

But it's not principial - victim will reply RST for this packet in
most cases.

  +=-=-=-=-=-=-=-=-=+
  |Vladimir Dubrovin|
  | Sandy Info, ISP |
  +=-=-=-=-=-=-=-=-=+

This archive was generated by hypermail 2b27 : Sun Jan 23 2000 - 17:22:06 CST