Excellent host SYN-attack fix for BSD hosts
I've been running Jeff Weisberg's SunOS patches for a day now without trouble on my news and web boxes. He's come up with an implementation of the not-going-into-the-SYN_SENT-or-SYN_RCVD state hack. It appears to be working fine. No state is kept locally; when a SYN is received, an ISS is generated that contains a few bits for reference into a table of MSS values; window size and any initial data is discarded; and the rest of the ISS is the MD5 output of a 32-byte secret and all of the interesting header info. ftp.op.net:/pub/src/syn-prophylactica/ Has sun3 and sun4 patches (the sun4 patches work so far on sun4, sun4c, and sun4m architectures). The hypothetical-this-should-work-on-other-BSD- based-systems source code in the 'net2-src' still hasn't actually been tested, I think. Tremendous thanks to Jeff for implementing what is still my favorite SYN defense. Hopefully Sun will incorporate this into their security announcement, which basically says you're screwed if you run SunOS, though it does describe how to increase the queue and decrease the SYN-holding timeout (if you have source...). Object files that do that are still described at http://www.netaxs.com/~freedman/syn/, though I think the approach implemented by Jeff is much better, and if you use that approach, increasing the queue and decreasing the SYN-holding timeout are as useless as a command-line interface on a Bay router. Again, MANY thanks to Jeff. Avi
participants (1)
-
Avi Freedman