In message <200103122349.f2CNndk28613@foo-bar-baz.cc.vt.edu>, Valdis.Kletnieks@ vt.edu writes:

On Mon, 12 Mar 2001 18:09:32 EST, "Richard A. Steenbergen" said:

...

And since the "victim" will have the current sequence number for inbound data, what would keep it from (correctly) sending an RST and tearing down this false connection?

And THAT my friends, was the *original* purpose for a TCP SYN flood - it wasn't to DOS the victim, it was to DOS a machine *trusted by* the victim so you could forge a connection and NOT get nailed by an RST.

I'm sure that Steve Bellovin can point us at the original discussion of this, which was *ages* ago. I remember hearing that Kevin Mitnick used that (in addition to other tricks) against Shimomura's machines and thinking "Hmm.. so it's *not* just a theoretical attack anymore..."

More or less. When doing a sequence number guessing attack, one of the problems faced by the attacker is preventing the spoofed machine from replying with an RST to the SYN+AC for a connection it knows nothing about. Morris's original version used a low-rate SYN flood that exploited a bug in the BSD kernel to effectively gag a low-numbered port. His paper can be found at ftp://ftp.research.att.com/dist/internet_security/117.ps.Z This isn't the same weakness that was exploited by the early SYN floods, but it took advantage of the same limit on half-open connections. --Steve Bellovin, http://www.research.att.com/~smb