Date: Thu, 19 Jul 2001 17:08:52 -0700 From: Peter Wemm <peter@wemm.org> To: tlambert2@mindspring.com Cc: Barry Pederson <bpederson@geocities.com>, freebsd-arch@FreeBSD.ORG Subject: Re: TCP Initial Sequence Numbers: We need to talk Message-ID: <20010720000852.36B7B3811@overcee.netplex.com.au> In-Reply-To: <3B5696E1.3A038FF5@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Terry Lambert wrote: > Barry Pederson wrote: > > Jonathan Lemon wrote: > > > > > > Its not feasible; he's overlooking several things. Among them > > > are: 1. it is susceptible to replay attacks, 2. the secret is > > > per IP, and 3. "having the response go nowhere" is not a valid > > > defense, if the attacker can guess it. > > > > 1, 2. It's protecting against spoofed SYN floods, the replay attack > > would have to be a non-spoofed ACK flood (since the attacker could > > probably figure out their own token) --or-- the attacker was also > > sniffing your network, could see what was in the outgoing SYN/ACK > > packets at least once for each spoofed IP, and then flooded with spoofed > > ACKs containing the encrypted token for that particular spoofed address. > > My favorite attack for this would be to just ACK the hell > out of your machine so that it burnt up all your CPU doing > RC5's, which the attacker could just ignore... Exactly. This is the fundamental difference between classic syn cookies vs the syn_cache compressed tcp state engine stuff. syn cookies move the expensive part of the syn processing to the ack side, which you can still attack. The BSDi (and improved by NetBSD) syn_cache stuff does lightweight preprocessing and protects the expensive stack from this crud. It has optional RFC1948 (or whatever number it is) ISN support as well. Windows NT has something similar too.. They have a compressed tcp state for tracking massive numbers of TIME_WAIT connections without consuming a full pcb/tcpcb etc. I'm sure they use this for other things too. Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010720000852.36B7B3811>