Re: explanation and code for stream.c issues

Subject: Re: explanation and code for stream.c issues
From: Don Lewis (Don.LewisTSC.TDK.COM)
Date: Sat Jan 22 2000 - 04:58:44 CST

• Next message: Markus Hofmann: "Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x"
• Previous message: antirez: "Re: usual iploggers miss some variable stealth scans"
• Next in thread: Vladimir Dubrovin: "Re: explanation and code for stream.c issues"
• Maybe reply: Don Lewis: "Re: explanation and code for stream.c issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 22, 1:41pm, Vladimir Dubrovin wrote:
} Subject: Re[2]: explanation and code for stream.c issues

} >>Attack can be easily changed to send pair SYN and invalid SYN/ACK
}
} My mistake here - SYN/ACK packet isn't required. Sorry, i wrote this
} message after 11 hours of work.

Only 11 hours, I've been here for 22, minus a couple hours of breaks.

} Intruder sends SYN packet and then sends, lets say 1000 ACK packets to
} the same port from same port and source address. SYN packet will open
} ipfilter to pass all others packets. This attack doesn't need
} randomization for each packet.

Instead of producing RST responses, this will produce ACKs. Your earlier
comment about this prompted my comment in another thread about the
possible need to rate limit ACK packets.

} By the way - published stream.c doesn't use ACK bit at all.
} packet.tcp.th_flags = 0;

There was a correction published that changed this to set the ACK bit.

• Next message: Markus Hofmann: "Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x"
• Previous message: antirez: "Re: usual iploggers miss some variable stealth scans"
• Next in thread: Vladimir Dubrovin: "Re: explanation and code for stream.c issues"
• Maybe reply: Don Lewis: "Re: explanation and code for stream.c issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Mon Jan 24 2000 - 01:53:00 CST