OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1995: Re: denial of service attack possible

Re: denial of service attack possible

Casper Dik (casperHolland.Sun.COM)
Sun, 29 Oct 1995 13:24:48 +0100 

>[Denial of service possible by remote host putting multiple connections
>to a port into the SYN_RCVD state, thereby precluding further
>(legitimate) connection attempts.]

This problem is partly in the way how the interface on top of TCP/IP
has been defined.  Had accept been defined in such a way that a
connection request could be accepted and then rejected, there wuld not
have been a problem.  However, accept() will not return until the three
way handshake is complete and if the source dosn't cooperate or
if teh server is missing the return route, the kernel queue will fill
up and after the maximum is reached no further connections will succeed.

This backlog parameter also severely limits the number of connections/second
an http server can accept.

>It's even worse.  The same thing was done deliberately by Kevin Mitnick
>during his packet-spoofing attack on Shimomura's machines in San Diego.
>Mitnick put lots of connections into the SYN_RCVD state on machine A,
>thereby "jamming" machine A and preventing it from interfering
>(by sending RST packets) with his attack on machine B, impersonating
>machine A.

It doesn't need to be that way.  I was told that Solaris 2.x machines will
send RSTs for non-existing connections, even if the incoming connection
queue is full.  And that is not as straneg as it appears: you're only
interested in queueing naked SYNs, all unexpected packets
can still be rejected with a RST.

Casper