---------- Forwarded Message ---------- Subject: new variation on synflood? Date: Wed, 2 Aug 2000 21:54:12 -0400 From: John Comeau <[EMAIL PROTECTED]> Over the past few weeks we've seen a new (to us) type of SYN attack which seems to be using a weakness, if not a bug, in Linux's TCP/IP stack to use any Linux machine (looks like 2.2.12-20 and 2.2.16-3 at least) to reflect an attack to any destination. Here's the scenario as I understand it, having finally taken a few minutes to analyze it: The IP header shows total packet length 40, meaning 0 data (just 20 bytes each for IP header and TCP header). But in reality, after 12 bytes of 0's, there is all kinds of random data, some webpages, some chat traffic, binaries, whatever, following the TCP header. The packet is to an unused port on the target, usually a low number such as 2 or 56. The IP's seem to be spoofed, which allows for the spoofed IPs to be hit equally hard as the target. The RST from the target has a similar header but includes an equal number of bytes of garbage, and not necessarily the same garbage either; it just seems to be getting it from any recently-deallocated RAM. If necessary, I'll take the time to research it better, and post an exploit if not a patch. Or does the whole world already know except me? -- John Comeau - Chief Technology Officer Dialtone Internet - Extremely Fast Web Systems 954-581-0097 fax://954-581-7629 [EMAIL PROTECTED] http://www.dialtoneinternet.net ------------------------------------------------------- * Gunadarma Mailing List ----------------------------------------------- * Archives : http://milis-archives.gunadarma.ac.id * Langganan : Kirim Email kosong ke [EMAIL PROTECTED] * Berhenti : Kirim Email kosong ke [EMAIL PROTECTED] * Administrator: [EMAIL PROTECTED]
