From owner-freebsd-current Tue May 21 08:15:28 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id IAA01097 for current-outgoing; Tue, 21 May 1996 08:15:28 -0700 (PDT) Received: from apocalypse.superlink.net (root@apocalypse.superlink.net [205.246.27.150]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id IAA01091 for ; Tue, 21 May 1996 08:15:17 -0700 (PDT) Received: (from marxx@localhost) by apocalypse.superlink.net (8.7.5/8.7.3) id HAA01431; Tue, 21 May 1996 07:24:35 -0400 (EDT) Date: Tue, 21 May 1996 07:24:35 -0400 (EDT) From: "Charles C. Figueiredo" To: "Brett L. Hawn" cc: current@FreeBSD.ORG Subject: Re: freebsd + synfloods + ip spoofing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-current@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk "I don't want to grow up, I'm a BSD kid. There's so many toys in /usr/bin that I can play with!" ------------------------------------------------------------------------------ Charles C. Figueiredo Marxx marxx@superlink.net ------------------------------------------------------------------------------ On Tue, 21 May 1996, Brett L. Hawn wrote: > On Mon, 20 May 1996, Charles C. Figueiredo wrote: > > > Using DES as a random number generator would be excellent, but might > > not be quick enough. It was rather nicely discussed in a IP spoofing and > > TCP sequence prediction paper I read. Being easy to syn flood + spoof has > > not much to do when it comes to FreeBSD vs. Linux, after 1.3.7x I believe > > a patch isn't even needed to spoof an IP packet. Let's face it, it would > > be somewhat silly to attempt to disallow IP packet spoofing, all you're > > doing it manually building a IP header, and sending it away. Traceroute > > and the such need to generate their own headers. Besides, unless your > > clueless losers and lame crackers gain root, they can't open raw sockets. > > Most spoofing/sequencing/hijacking attempts an experiments are from people > > with individual workstations, connected, not users on a server. > > Practically all Unices are easy to syn flood + spoof on, ok, it only takes > > 8 requests to hose, but that's irrelevant. The problem doesn't lye in how > > quickly, it's that it occurs. The problem shouldn't be delt with on the > > client side, but on the server side. > > > The problem lies in the fact that 1: not all OS's are easily synfloodable, > seeing as not all OS's are easily sequences like fbsd is. 2: as the net > grows more and more 'lusers' are running linux/fbsd/etc at home on a PPP > link and therefore have root privs and can open a raw socket. 'Spoofing > Warez' as they're known are becoming more and more prevalent on certain > parts of IRC and its to the point now where the person spoofing you doesn't > even have to know what they're doing, all they do is fill out a basic > formula of command line arguments and *poof* they're you. I agree, there is a number of packages being distributed. The bottom line is however, any TCP implementation can have it's seq's predicted, at the moment, even newer SVR4 implementation that alternate every 60 or so seconds can be taken care of. Stop banging on FreeBSD, every body is at risk. ;-) > > For kicks some time ago I built a spoofer and I can tell you this much, Child's play :P > creating at least a pseudo-random number generator for sequencing will stop > a large # of the spoofers. > > Brett > >