Bugtraq mailing list archives

Re: Reachable addresses on the net (was SYN floods)

From: oxymoron () waste org (Oliver Xymoron)
Date: Tue, 3 Sep 1996 15:15:07 -0500


On Tue, 3 Sep 1996, Speed Racer wrote:

On Sat, 31 Aug 1996, Oliver Xymoron wrote:

As you can see, the address space is still quite sparse (less than 1 out
of every 200 addresses is reachable in my test), with most being inside
the 127 net.  At least for the purpose of SYN flooding, the assumption
that a random address is unreachable is probably safe and probably quite
useful. Any local protection has to bear this in mind, and perhaps keep a
cache of known good addresses handy.


Some questions for you-

1. When you generated the random addresses, did you throw out anything in
class A nets 56-127?  Those are marked reserved according to the IANA, as
are all nets 224 (225?) and up.  That's a lot of the address space right
there.


My initial version took four bytes from /dev/random and used them as an
address, no filtering. The version I posted used the rand() function in
Perl. So it was trying to ping everything, including reserved addresses,
multicast groups, loopbacks, broadcast addresses, etc..

2. Exactly how did you manage to get replies from net 127 addresses?  I
could SWEAR that 127 is marked reserved for localhost.  It would certainly
be possible to set up a network on 127; most routing software doesn't care
too much about 127, but it'd be kinda goofy.


Linux boxes at least responds to everything on the loopback interface. I'm
guessing this is some form of loopback optimization..

I do agree that a cache of valid addresses might be a good idea; I'm not
sure how it could be implemented tho.


Perhaps by keeping track via hashing of the last N addresses that have
actually established connections and throwing away SYN packets that are
blocking things up and are from otherwise unknown locations. No good for a
web server, which is accessed by relatively random addresses anyway, but
it might keep a flood from locking out something crucial like telnet.. It
might also make sense to allow firewalls to "give precedence" to packets
received on local interfaces over stuff from ISPs..

--
 "Love the dolphins," she advised him. "Write by W.A.S.T.E.."

Current thread:

Re: Reachable addresses on the net (was SYN floods) Jared Mauch (Sep 02)
- <Possible follow-ups>
- Re: Reachable addresses on the net (was SYN floods) der Mouse (Sep 03)
  - Re: Reachable addresses on the net (was SYN floods) Alan Brown (Sep 05)
  - [linux-security] samba 1.9.16p2-2 (RedHat): Damn /tmp security Zygo Blaxell (Sep 10)
- Re: Reachable addresses on the net (was SYN floods) Oliver Xymoron (Sep 03)
- Re: Reachable addresses on the net (was SYN floods) Oliver Xymoron (Sep 03)
  - Re: Reachable addresses on the net (was SYN floods) Alan Cox (Sep 04)
  - quick and dirty x-protect *Hobbit* (Sep 04)
- Re: Reachable addresses on the net (was SYN floods) Charles M. Hannum (Sep 10)