Actually, it was Morris, not me, who first pointed it out.
Data point: When did Steve Bellovin point out the issues with non-random
TCP ISNs? When did Mitnick use an exploit for this against Shimomura?And now ask yourself - when did we *first* start seeing SYN flood attacks (whi
ch
were *originally* used to shut the flooded machine up while and prevent it
from talking while you spoofed its address to some OTHER machine?)
That's not quite correct. While flooding can work, Morris found an
implementation bug that made it easier to gag the alleged source. I'd
have to spend a while trying to figure out the exact details; roughly,
though, you picked a port on which the alleged source was in LISTEN
state, created enough half-open connections to fill its queue, and then
used that port (in the privileged range) in launching your spoofing
attack on the real victim. The SYN+ACK packets would be dropped,
rather than eliciting an RST, because they appeared to be SYNs for a
service with a full queue. The difference is is that this scheme takes
many fewer packets than a SYN flood -- 5, back in 1985 when the attack
was published -- and works very reliably, with no statistical
dependencies. That bug has long-since been fixed on just about
everything out there, but in the mean time we've seen lots more ways to
take hosts off the air...
--Steve Bellovin, error