ideas for half-open sync flood fixs

Peter_Cole1 · September 20, 1996, 4:50pm

ideas for half-open sync flood fixs?

What I understand about this venerability:

If a spoofed packet contains a host address that does exist on the net then
the real host sends a reset and the fake half open socket is killed. No
problem for the host.

If a spoofed packet contains a nonexistent host address then no host is
present to send a reset. Big problem for the host.

fix 1. Doesn't the network respond with ICMP message to the attacked host
telling it that the nonexistent host is unreachable. The attacked host could
close a half open socket if it received a ICMP message with the corresponding
host address and socket port data.

fix 2. If a router cannot deliver a sync ack packet it could send a reset for
that sync ack.

fix 3. If a host sent a ping to the requesting source address before sending
the sync ack then it could kill nonresponding hosts quickly.

Three ideas form a lurker.

Peter Cole
peter@telescan.com
Telescan Inc.
(713) 588-9155

Better computing through lack of sleep
Peter Cole (713)588-9155

Brian_Murrell · September 20, 1996, 5:02pm

from the quill of peter@telescan.com (Peter Cole) on scroll
<199609201650.MAA10156@merit.edu>

fix 1. Doesn't the network respond with ICMP message to the attacked
host
telling it that the nonexistent host is unreachable. The attacked host
could
close a half open socket if it received a ICMP message with the
corresponding
host address and socket port data.

Ideally. A lot of firewalls silently drop packets which don't get past the
security policy to make port scanning take much longer than it would if
ICMP's were sent back. No resets, no ICMP unreachable.

b.