Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: tcp,guardent,bellovin

  • From: Steven M. Bellovin
  • Date: Mon Mar 12 21:13:03 2001

In message <>, Valdis.Kletnieks@ writes:
>On Mon, 12 Mar 2001 18:09:32 EST, "Richard A. Steenbergen" said:
>> And since the "victim" will have the current sequence number for inbound
>> data, what would keep it from (correctly) sending an RST and tearing down
>> this false connection?
>And THAT my friends, was the *original* purpose for a TCP SYN flood - it
>wasn't to DOS the victim, it was to DOS a machine *trusted by* the victim
>so you could forge a connection and NOT get nailed by an RST.
>I'm sure that Steve Bellovin can point us at the original discussion
>of this, which was *ages* ago.  I remember hearing that Kevin Mitnick
>used that (in addition to other tricks) against Shimomura's machines
>and thinking "Hmm.. so it's *not* just a theoretical attack anymore..."

More or less.  When doing a sequence number guessing attack, one of the 
problems faced by the attacker is preventing the spoofed machine from 
replying with an RST to the SYN+AC for a connection it knows nothing 
about.  Morris's original version used a low-rate SYN flood that 
exploited a bug in the BSD kernel to effectively gag a low-numbered 
port.  His paper can be found at
This isn't the same weakness that was exploited by the early SYN 
floods, but it took advantage of the same limit on half-open 

		--Steve Bellovin,

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.