That's because it's a really nasty attack. I have a copy.. I've successfully completely taken down every layer-3 device of my own that I've launched it against. The attack sends massive ACKs to the victim. The ACKs are dropped at the kernel, but it's CPU bound. So unless you have tons of CPU to spare, your system will essentially slow to a pause when under this sort of attack. Another icky thing.. Established bit.. A lot of firewalls ass-u-me that if a packet is marked established, it's valid and should be passed along. This exploit takes advantage of that assumption. I dont know to what level firewall software looks at packets (checking headers for sequence number, etc), but this one is intelligent. This is no "groundbreaking" attack.. it's been discussed before of how header trickery could do things.. but.. eh.. I dunno. My TCP/IP knowledge only goes so far, so I don't have a ton of room to ellaborate. Regardless.. A successful distributed attack using this exploit *can* take down major parts of the Internet. Key people at software vendors already have copies of this and are trying to work on a fix. I doubt anything real is going to come of it as far as a remedy or counter, very soon. Regards Jamie Rishaw On Thu, Jan 20, 2000 at 12:57:39PM -0600, Joe Shaw wrote:
I haven't heard of it, so could you please provide some more technical details? I saw nothing on it come across bugtraq or in the archives.
-- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am."
On Thu, 20 Jan 2000, Henry R. Linneweh wrote:
anyone have a preventative method for this?
-- jamie rishaw (efnet:gavroche) -- Exodus Communications, Inc. Senior Network Engineer, Los Angeles / SoCal Data Centers Corporate association for identification, not representation