Bugtraq mailing list archives
Re: denial of service attack possible
From: casper () Holland Sun COM (Casper Dik)
Date: Sun, 29 Oct 1995 13:24:48 +0100
[Denial of service possible by remote host putting multiple connections to a port into the SYN_RCVD state, thereby precluding further (legitimate) connection attempts.]
This problem is partly in the way how the interface on top of TCP/IP has been defined. Had accept been defined in such a way that a connection request could be accepted and then rejected, there wuld not have been a problem. However, accept() will not return until the three way handshake is complete and if the source dosn't cooperate or if teh server is missing the return route, the kernel queue will fill up and after the maximum is reached no further connections will succeed. This backlog parameter also severely limits the number of connections/second an http server can accept.
It's even worse. The same thing was done deliberately by Kevin Mitnick during his packet-spoofing attack on Shimomura's machines in San Diego. Mitnick put lots of connections into the SYN_RCVD state on machine A, thereby "jamming" machine A and preventing it from interfering (by sending RST packets) with his attack on machine B, impersonating machine A.
It doesn't need to be that way. I was told that Solaris 2.x machines will send RSTs for non-existing connections, even if the incoming connection queue is full. And that is not as straneg as it appears: you're only interested in queueing naked SYNs, all unexpected packets can still be rejected with a RST. Casper
Current thread:
- Re: denial of service attack possible Nathan Lawson (Oct 27)
- Re: denial of service attack possible Darren Reed (Oct 28)
- Re: denial of service attack possible Neil Readwin (Oct 30)
- <Possible follow-ups>
- Re: denial of service attack possible Casper Dik (Oct 29)
- Re: denial of service attack possible System Administrator (Oct 30)
- Re: denial of service attack possible John Stewart (Oct 31)
- Re: denial of service attack possible der Mouse (Nov 01)