Bugtraq mailing list archives
Re: Excellent host SYN-attack fix for BSD hosts
From: granville_moore () il us swissbank com (Granville Moore)
Date: Mon, 14 Oct 1996 13:31:47 +0100
"Charles M. Hannum" <mycroft () mit edu> writes:
Avi Freedman <freedman () netaxs com> writes:No state is kept locally; when a SYN is received, an ISS is generated that contains a few bits for reference into a table of MSS values; window size and any initial data is discarded; and the rest of the ISS is the MD5 output of a 32-byte secret and all of the interesting header info.
This doesn't seem to deal with window scaling, which is a big lose on high-bandwidth networks. It also breaks TCP's algorithm for recognizing stale data.
I don't understand why window scaling would be a problem, since the window size isn't included in the MD5, but I believe that the stale data issue can be addressed by using a "rolling secret". By changing the 32-byte secret, say every minute, retaining the old secret for one minute, and checking incoming packets against both, you can be sure that if a packets check out OK against either, then the original SYN must have been processed within the last 2 minutes. Each ACK sent is good for at least one minute (even if the secret changes immediately after it's generated). If the variation in the timeout (1-2 minutes) isn't acceptable, it can be reduced by changing the secret more often, and retaining more old versions on a rolling basis (e.g. changing every 10 seconds, retaining 6 old copies would give a timeout of between 60 and 70 seconds). By checking against old versions in an "intelligent" order (decreasing order of hit-frequency would seem good), it should be possible to minimise the overhead of multiple MD5 calculations. Regards, Granville ----------------------------------------------------------------------- Granville Moore granville.moore () swissbank com Perot Systems at SBC Warburg, London Nothing in this message represents the views of SBC Warburg or Perot Systems -----------------------------------------------------------------------
Current thread:
- Re: Excellent host SYN-attack fix for BSD hosts Scriptors of DOOM (Oct 11)
- <Possible follow-ups>
- Re: Excellent host SYN-attack fix for BSD hosts Mark Graff (Oct 11)
- Poorly setup news servers Alan Brown (Oct 12)
- HPUX PPP Bug - bugger.ppl Aleph One (Oct 12)
- Re: Poorly setup news servers Bryan Reece (Oct 12)
- Re: Excellent host SYN-attack fix for BSD hosts Avi Freedman (Oct 12)
- Poorly setup news servers Alan Brown (Oct 12)
- Re: Excellent host SYN-attack fix for BSD hosts Charles M. Hannum (Oct 13)
- Re: Excellent host SYN-attack fix for BSD hosts Casper Dik (Oct 14)
- Re: Excellent host SYN-attack fix for BSD hosts Granville Moore (Oct 14)
- Re: Excellent host SYN-attack fix for BSD hosts Vern Paxson (Oct 14)
- Re: Excellent host SYN-attack fix for BSD hosts Jeff Weisberg (Oct 14)
- Re: Excellent host SYN-attack fix for BSD hosts Alan Cox (Oct 15)
- Re: Excellent host SYN-attack fix for BSD hosts Darren Reed (Oct 15)
- ftpd bug? Was: bin/1805: Bug in ftpd James Poland 6-5251 (Oct 15)
- Re: Excellent host SYN-attack fix for BSD hosts Jeff Weisberg (Oct 14)
- Re: Excellent host SYN-attack fix for BSD hosts Steve Kann (Oct 15)
- Re: Excellent host SYN-attack fix for BSD hosts Jeff Weisberg (Oct 15)
- Re: Excellent host SYN-attack fix for BSD hosts D. J. Bernstein (Oct 15)
- Re: Excellent host SYN-attack fix for BSD hosts Vern Paxson (Oct 16)