More BSD info

From freedman@netaxs.com Fri Oct 11 22:21:21 1996
Date: Fri, 11 Oct 1996 09:57:43 -0400 (EDT)
From: Avi Freedman <freedman@netaxs.com>
To: nanog@merit.edu
Subject: Excellent host SYN-attack fix for BSD hosts


I've been running Jeff Weisberg's SunOS patches for a day now without
trouble on my news and web boxes.  He's come up with an implementation
of the not-going-into-the-SYN_SENT-or-SYN_RCVD state hack.  It appears
to be working fine.

No state is kept locally; when a SYN is received, an ISS is generated
that contains a few bits for reference into a table of MSS values;
window size and any initial data is discarded; and the rest of the ISS
is the MD5 output of a 32-byte secret and all of the interesting header
info.

ftp.op.net:/pub/src/syn-prophylactica

Has sun3 and sun4 patches (the sun4 patches work so far on sun4, sun4c,
and sun4m architectures).  The hypothetical-this-should-work-on-other-BSD-
based-systems source code in the 'net2-src' still hasn't actually been
tested, I think.

Tremendous thanks to Jeff for implementing what is still my favorite
SYN defense.

Hopefully Sun will incorporate this into their security announcement,
which basically says you're screwed if you run SunOS, though it does
describe how to increase the queue and decrease the SYN-holding timeout
(if you have source...).   Object files that do that are still described
at http://www.netaxs.com/~freedman/syn/, though I think the approach
implemented by Jeff is much better, and if you use that approach,
increasing the queue and decreasing the SYN-holding timeout are as
useless as a command-line interface on a Bay router.

Again, MANY thanks to Jeff.  

Avi


<webmaster@mtiweb.com>
Last modified