From owner-freebsd-current  Tue May 21 05:21:28 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id FAA20969
          for current-outgoing; Tue, 21 May 1996 05:21:28 -0700 (PDT)
Received: from nol.net (root@dazed.nol.net [206.126.32.101])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id FAA20963
          for <current@FreeBSD.ORG>; Tue, 21 May 1996 05:21:25 -0700 (PDT)
Received: from dazed.nol.net (blh@dazed.nol.net [206.126.32.101]) by nol.net (8.7.5/8.7.3) with SMTP id HAA19719; Tue, 21 May 1996 07:21:16 -0500 (CDT)
X-AUTH: NOLNET SENDMAIL AUTH
Date: Tue, 21 May 1996 07:21:14 -0500 (CDT)
From: "Brett L. Hawn" <blh@nol.net>
To: "Charles C. Figueiredo" <marxx@apocalypse.superlink.net>
cc: current@FreeBSD.ORG
Subject: Re: freebsd + synfloods + ip spoofing
In-Reply-To: <Pine.BSF.3.91.960520205423.709A-100000@apocalypse.superlink.net>
Message-ID: <Pine.SOL.3.93.960521071719.19401A-100000@dazed.nol.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-current@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 20 May 1996, Charles C. Figueiredo wrote:

> 	Using DES as a random number generator would be excellent, but might
> not be quick enough. It was rather nicely discussed in a IP spoofing and
> TCP sequence prediction paper I read. Being easy to syn flood + spoof has
> not much to do when it comes to FreeBSD vs. Linux, after 1.3.7x I believe 
> a patch isn't even needed to spoof an IP packet. Let's face it, it would 
> be somewhat silly to attempt to disallow IP packet spoofing, all you're
> doing it manually building a IP header, and sending it away. Traceroute
> and the such need to generate their own headers. Besides, unless your
> clueless losers and lame crackers gain root, they can't open raw sockets.
> Most spoofing/sequencing/hijacking attempts an experiments are from people
> with individual workstations, connected, not users on a server. 
> Practically all Unices are easy to syn flood + spoof on, ok, it only takes
> 8 requests to hose, but that's irrelevant. The problem doesn't lye in how 
> quickly, it's that it occurs. The problem shouldn't be delt with on the
> client side, but on the server side.


The problem lies in the fact that 1: not all OS's are easily synfloodable,
seeing as not all OS's are easily sequences like fbsd is. 2: as the net
grows more and more 'lusers' are running linux/fbsd/etc at home on a PPP
link and therefore have root privs and can open a raw socket. 'Spoofing
Warez' as they're known are becoming more and more prevalent on certain
parts of IRC and its to the point now where the person spoofing you doesn't
even have to know what they're doing, all they do is fill out a basic
formula of command line arguments and *poof* they're you.

For kicks some time ago I built a spoofer and I can tell you this much,
creating at least a pseudo-random number generator for sequencing will stop
a large # of the spoofers.

Brett