On Saturday 29 October 2005 02:02, media Formel4 wrote:
So still the one question is left open: How can the attacker instantiate an ESTABLISHED connection while using spoofed IPs?
Essentially, you can't. However, as someone has already mentioned, you could brute-force the sequence number expected for a SYNACK "cookie" by sending them blindly after the first SYN. There is a way to stop these from creating an established connection, but you'll need to write a program that actually detects these attempts and deletes the connection. This can be done in linux, but it may take a day or two to develop, if you're familiar with netfilter. The idea is that if you receive a SYN, send a SYNACK, and then wait for the reply and you actually receive a reply from that IP that is somehow invalid before receiving the valid one, you just delete the conntrack entry as if the first SYN packet was never received. This will result in sending a single RST after other packets coming in for the same connection (which you may want to rate limit) and it won't bug apache about an open tcp socket, which is exactly what you need. However, your machine will still get loaded because of all the traffic causing all the state changes in IP stack, and there is a very real possibility that these IP addresses are not spoofed, but actually just machines that have been compromised a while ago and were just waiting to start flooding some IP with junk requests. Check with tcpdump if you are actually receiving lots of ack packets that you should not be seeing. -- Jure Koren, n.i.