Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] Under DDoS Attack
  • From: Jure Koren <jure@xxxxxxxxxx>
  • Date: Sun, 30 Oct 2005 13:52:13 +0200
  • Message-id: <200510301252.22702.jure@xxxxxxxxxx>
On Saturday 29 October 2005 02:02, media Formel4 wrote:
> So still the one question is left open: How can the attacker instantiate
> an ESTABLISHED connection while using spoofed IPs?

Essentially, you can't. However, as someone has already mentioned, you could
brute-force the sequence number expected for a SYNACK "cookie" by sending
them blindly after the first SYN. There is a way to stop these from creating
an established connection, but you'll need to write a program that actually
detects these attempts and deletes the connection. This can be done in linux,
but it may take a day or two to develop, if you're familiar with netfilter.

The idea is that if you receive a SYN, send a SYNACK, and then wait for the
reply and you actually receive a reply from that IP that is somehow invalid
before receiving the valid one, you just delete the conntrack entry as if the
first SYN packet was never received. This will result in sending a single RST
after other packets coming in for the same connection (which you may want to
rate limit) and it won't bug apache about an open tcp socket, which is
exactly what you need.

However, your machine will still get loaded because of all the traffic causing
all the state changes in IP stack, and there is a very real possibility that
these IP addresses are not spoofed, but actually just machines that have been
compromised a while ago and were just waiting to start flooding some IP with
junk requests. Check with tcpdump if you are actually receiving lots of ack
packets that you should not be seeing.

Jure Koren, n.i.
< Previous Next >
List Navigation