-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi from what little i know of tcp, it seems if u are root on a linux comp, then u can produce a tcp packet of desired requirements. Also, u can produce an RST packet, and as long as there is no need for a tcp handshake ( there is no connection) then it is perfectly logically ok to spoof the ip address of the source sending the packet. Then supposing i write a program that keeps sending RST packets to a specified port of a target with spoofed source ip addresses from 0.0.0.0 to 255.255.255.255, then is it possible to DOS it ? How do u prevent this from happening ? regards cheedu - -- ********* Perhaps it is better to be un-sane and happy, than sane and un-happy. But it is best of all to be sane and happy. --Arthur Clarke, "3001:The Final Odyssey" ********* -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE57enarHJM2EAbaXwRAgOjAKDb3ShgEmBCX58v2KEzvjxKWC8R2ACbBuna AMMs+tPMVNG5Y7SFXbOwcZ4= =DyxS -----END PGP SIGNATURE-----
* Sridhar wrote on Wed, Oct 18, 2000 at 23:50 +0530:
Then supposing i write a program that keeps sending RST packets to a specified port of a target with spoofed source ip addresses from 0.0.0.0 to 255.255.255.255, then is it possible to DOS it ? How do u prevent this from happening ?
You have to block by a firewall as much as possible from outside, and block anythink possible from hosts you are not root (or not the only root :)). Of couse this isn't working well for web services or mail... Use itrusion detectors and analyzing/monitoring tools to see such things. Firewalls to outside should block things like 0.0.0.0 anyways (since it's some broadcast address). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
* Sridhar wrote on Wed, Oct 18, 2000 at 23:50 +0530:
Then supposing i write a program that keeps sending RST packets to a specified port of a target with spoofed source ip addresses from 0.0.0.0 to 255.255.255.255, then is it possible to DOS it ? How do u prevent this from happening ?
You have to block by a firewall as much as possible from outside, and block anythink possible from hosts you are not root (or not the only root :)). Of couse this isn't working well for web services or mail... Use itrusion detectors and analyzing/monitoring tools to see such things. Firewalls to outside should block things like 0.0.0.0 anyways (since it's some broadcast address).
oki,
Steffen
.0 = network address (for anything larger then /24 which is "normal") .255 = broadcast (for anything larger then /24 which is "normal"). http://www.securityportal.com/lskb/10000050/kben10000087.html has a link to the HUNT project, which you will probably find of interest. Kurt Seifried - seifried@securityportal.com SecurityPortal, your focal point for security on the net http://www.securityportal.com/
participants (3)
-
Kurt Seifried
-
Sridhar
-
Steffen Dettmer