Date: Mon, 20 May 1996 21:02:49 -0400 (EDT) From: "Charles C. Figueiredo" <marxx@apocalypse.superlink.net> To: "Brett L. Hawn" <blh@nol.net> Cc: current@FreeBSD.ORG Subject: Re: freebsd + synfloods + ip spoofing Message-ID: <Pine.BSF.3.91.960520205423.709A-100000@apocalypse.superlink.net> In-Reply-To: <Pine.SOL.3.93.960520221159.1155A-100000@dazed.nol.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Using DES as a random number generator would be excellent, but might not be quick enough. It was rather nicely discussed in a IP spoofing and TCP sequence prediction paper I read. Being easy to syn flood + spoof has not much to do when it comes to FreeBSD vs. Linux, after 1.3.7x I believe a patch isn't even needed to spoof an IP packet. Let's face it, it would be somewhat silly to attempt to disallow IP packet spoofing, all you're doing it manually building a IP header, and sending it away. Traceroute and the such need to generate their own headers. Besides, unless your clueless losers and lame crackers gain root, they can't open raw sockets. Most spoofing/sequencing/hijacking attempts an experiments are from people with individual workstations, connected, not users on a server. Practically all Unices are easy to syn flood + spoof on, ok, it only takes 8 requests to hose, but that's irrelevant. The problem doesn't lye in how quickly, it's that it occurs. The problem shouldn't be delt with on the client side, but on the server side. Regards, Marxx "I don't want to grow up, I'm a BSD kid. There's so many toys in /usr/bin that I can play with!" ------------------------------------------------------------------------------ Charles C. Figueiredo Marxx marxx@superlink.net ------------------------------------------------------------------------------ On Mon, 20 May 1996, Brett L. Hawn wrote: > While chatting with my fellow administrator we were discussing (yes, the age > old argument) freebsd vs linux. One of the points he made was that even the > latest releases of fbsd are easy to synflood & spoof. Now for us and OUR > users this isn't a problem since we have filters on our cisco that disallows > spoofing but lets face it, most ISP's are clueless. My roommate who keeps up > with fbsd somewhat more than I do was just chatting with me about this fact > and mentioned that someone is working on the socket code and I thought I'd > mention this problem since it is (imho) a SERIOUS security problem for those > who don't neccessarily know better. > > On the same topic I had been doing some thinking about tcp sequecing and I > was contemplating using a DES noise generator to procude pseudo-random > numbers (this idea compliments of the folks on #unix) for the sequencing, > any comments? > > Brett > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960520205423.709A-100000>