From owner-freebsd-arch  Thu Jul 19  1:13:55 2001
Delivered-To: freebsd-arch@freebsd.org
Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.121.49])
	by hub.freebsd.org (Postfix) with ESMTP id 5FC5C37B403
	for <freebsd-arch@FreeBSD.ORG>; Thu, 19 Jul 2001 01:13:53 -0700 (PDT)
	(envelope-from tlambert2@mindspring.com)
Received: from mindspring.com (dialup-209.247.141.193.Dial1.SanJose1.Level3.net [209.247.141.193])
	by scaup.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id BAA19885;
	Thu, 19 Jul 2001 01:13:48 -0700 (PDT)
Message-ID: <3B5696E1.3A038FF5@mindspring.com>
Date: Thu, 19 Jul 2001 01:14:25 -0700
From: Terry Lambert <tlambert2@mindspring.com>
Reply-To: tlambert2@mindspring.com
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Barry Pederson <bpederson@geocities.com>
Cc: freebsd-arch@FreeBSD.ORG
Subject: Re: TCP Initial Sequence Numbers: We need to talk
References: <001101c10fcc$7a7927f0$a586fa18@chris> <20010718160345.J74461@prism.flugsvamp.com> <3B561053.6370CEE8@geocities.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

Barry Pederson wrote:
> Jonathan Lemon wrote:
> >
> > Its not feasible; he's overlooking several things.  Among them
> > are: 1. it is susceptible to replay attacks, 2. the secret is
> > per IP, and 3. "having the response go nowhere" is not a valid
> > defense, if the attacker can guess it.
> 
> 1, 2. It's protecting against spoofed SYN floods, the replay attack
> would have to be a non-spoofed ACK flood (since the attacker could
> probably figure out their own token) --or-- the attacker was also
> sniffing your network, could see what was in the outgoing SYN/ACK
> packets at least once for each spoofed IP, and then flooded with spoofed
> ACKs containing the encrypted token for that particular spoofed address.

My favorite attack for this would be to just ACK the hell
out of your machine so that it burnt up all your CPU doing
RC5's, which the attacker could just ignore...

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message