ideas for half-open sync flood fixs
ideas for half-open sync flood fixs? What I understand about this venerability: If a spoofed packet contains a host address that does exist on the net then the real host sends a reset and the fake half open socket is killed. No problem for the host. If a spoofed packet contains a nonexistent host address then no host is present to send a reset. Big problem for the host. fix 1. Doesn't the network respond with ICMP message to the attacked host telling it that the nonexistent host is unreachable. The attacked host could close a half open socket if it received a ICMP message with the corresponding host address and socket port data. fix 2. If a router cannot deliver a sync ack packet it could send a reset for that sync ack. fix 3. If a host sent a ping to the requesting source address before sending the sync ack then it could kill nonresponding hosts quickly. Three ideas form a lurker. Peter Cole peter@telescan.com Telescan Inc. (713) 588-9155 Better computing through lack of sleep Peter Cole (713)588-9155
from the quill of peter@telescan.com (Peter Cole) on scroll <199609201650.MAA10156@merit.edu>
fix 1. Doesn't the network respond with ICMP message to the attacked host telling it that the nonexistent host is unreachable. The attacked host could close a half open socket if it received a ICMP message with the corresponding host address and socket port data.
Ideally. A lot of firewalls silently drop packets which don't get past the security policy to make port scanning take much longer than it would if ICMP's were sent back. No resets, no ICMP unreachable. b. -- Brian J. Murrell Brian_Murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279
participants (2)
-
Brian Murrell
-
peter@telescan.com