On Wed, 07 May 2008 10:53:35 PDT, Erin Carroll said:
> When I saw this hitting my servers last night I thought it an odd attack
> pattern but surmised it was either a targeted slow attack with spoofed IP's
Unless your operating system is *very* broken and doesn't do RFC1948 randomization
of the TCP Initial Sequence Number, using a spoofed ID just gets you a bunch
of sockets stuck in half-open state (SYN received, SYN/ACK send to the spoofed
source, no ACK back). If it's gotten through the 3-packet handshake, you may
as well assume that it's a real IP address (or the attacker has already pwned
enough infrastructure that they can see the SYN/ACK you send, in which case
they control the horizontal and vertical and you're now in an Outer Limits
episode... ;)
> When I saw this hitting my servers last night I thought it an odd attack
> pattern but surmised it was either a targeted slow attack with spoofed IP's
Unless your operating system is *very* broken and doesn't do RFC1948 randomization
of the TCP Initial Sequence Number, using a spoofed ID just gets you a bunch
of sockets stuck in half-open state (SYN received, SYN/ACK send to the spoofed
source, no ACK back). If it's gotten through the 3-packet handshake, you may
as well assume that it's a real IP address (or the attacker has already pwned
enough infrastructure that they can see the SYN/ACK you send, in which case
they control the horizontal and vertical and you're now in an Outer Limits
episode... ;)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFIIfIvcC3lWbTT17ARAiGIAJ9T8+/TLla7X45kCKafVcbY5hZm7wCbBdHR
IQscNCH4I92ZGW76pa7ioUU=
=VGJV
-----END PGP SIGNATURE-----
[ reply ]