Re: Better than SYNcookies?

From: Joerg Pommnitz (Joerg.Pommnitz@joerg-pommnitz.de)
Date: Tue Sep 26 2000 - 03:10:51 EST

Next message: David Howells: "Re: [RFC] Wine speedup through kernel module"
Previous message: Ingo Molnar: "[patch] raidfix-2.4.0-test9-A0"
Maybe in reply to: Dan Hollis: "Better than SYNcookies?"
Next in thread: Alan Cox: "Re: Better than SYNcookies?"
Reply: Alan Cox: "Re: Better than SYNcookies?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here is a message from nntp://news.grc.com/news.feedback

Somebody with good knowledge of the Linux SYN-Cookies should
probably drop by and discuss the matter...

Regards
Joerg

Subject: A *significant* dilemma . . .
Date: Mon, 25 Sep 2000 13:15:59 -0700
From: Steve Gibson <support@grc.com>
Organization: Gibson Research Corporation
Newsgroups: news.feedback

Gang,

I'm in a BIG dilemma ... and I think some opinions and discussion
would be in order.

While detailing exactly why my system is different and superior to
what's been done before ... I was thinking through the LINUX SYN
Cookie approach and I *cracked* its security -- completely.

I can IP spoof flood -- and probably crash -- any (presumably LINUX)
kernel that's relying upon SYN Cookies for its "protection" since it
would be a connection-establishing ACK flood which is much more
dangerous than a fake handshake SYN flood.

So, the dilemma is what to do about that knowledge and information.

You know that I'd LOVE to explain exactly how and why SYN Cookies can
be crumbled. It would -- once and for all -- silence those who claim
that I have nothing new to offer. But wouldn't doing so be extremely
irresponsible since -- if Torinak's correct -- LINUX servers are
currently being "protected" by this insecure system? And since
cracking a SYN Cookie protected server is MUCH more damaging than SYN
flooding?

And if I declare that I've cracked SYN Cookies *without* explaining
how, won't people just claim that I haven't??

What do you guys think???

(By the way, if you hadn't already figured it out, SYN Cookies are a
REALLY BAD idea! They are *WORSE* than using nothing, since when
cracked (which is NOT difficult) they allow direct access to
connection establishment, completely bypassing handshaking.)

-- _________________________________________________________________ Steve Gibson, at work on: < http://grc.com/np/np.htm >

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/

Next message: David Howells: "Re: [RFC] Wine speedup through kernel module"
Previous message: Ingo Molnar: "[patch] raidfix-2.4.0-test9-A0"
Maybe in reply to: Dan Hollis: "Better than SYNcookies?"
Next in thread: Alan Cox: "Re: Better than SYNcookies?"
Reply: Alan Cox: "Re: Better than SYNcookies?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sat Sep 30 2000 - 21:00:17 EST