Re: Emergency shutdown feature

Gordon Oliver (gordo@telsur.cl)
Sun, 21 Dec 1997 13:20:00 -0300

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bill Hawes: "patch for 2.1.74 fs/super.c"
Previous message: Nicholas J. Leon: "Re: socket.h errors in ppp compile"

... linux kernel account said ...
>I see the only need for the 'challange system' is so that you can
>idenitify the sender. My main difficulity with the challange system, is
>that the reboot packet is to reboot a runaway computer. The challange
>system would mostlikely lower it's effectiveness.

indeed, it would possibly fail to reboot... not quite optimal.

>MOST importantly, you sugesstion requires the 'rebooted' computer to
>generate a random value and several SHA hashes per request packet
>recieved.. That is a rather nice DOS attack. My perposal would have
>virtually the same security but would only require 1 sha computation every
>4.2 minutes and can be done on the first reboot packet recieved. Further
>packets need just a compair.. No DOS there.. (at least no DOS worse then a
>ping bomb)!

ahm. but you misunderstood here. The request is in the open, no authentication.
The response is a pre-generated random number (computed for the first request,
and never again). The primary advantage to doing this is that the attacker
must recieve the ping response in order to do a DOS attack. Otherwise the
random number can be compared... (oops, bet I didn't put that expicitly in
the packet, though the intention was there...) The _only_ SHA computation is
on the challenge-response packet. Yes, this involves more SHA computations...
The random numbers provide "linking" between the three packets. In order to
make an effective DOS attack the attacker would have to recieve the ping
response.

[snip]
> My estimations of time are only dependant
> on network speed.. I was estimating the average crack time of
> well over a billion years on 100bit ethernet. I doubt the attack
> would become feasible with 10-20 generations of human life.

right. but I get very few warm fuzzies from knowing a random spoofed packet
can reboot the computer...

>
>> - You must allow a window for the lack of synchronization between
>> the rebooter and the host to be rebooted. So you'll probably allow
>> a single packet to have a validity of about 8 minutes.
> Actually I allow for 256seconds of validity requiring +/- 2.16
> accuracy with the clocks. I was recommending droping the last 8
> bits of the 32bit unix time.. It fits well..

so you'll have to send a slew of packets if they are poorly aligned. It'd work.

>I think you are sugesting a little overkill.
>The DOS potential of your solution greatly outweighs the minor potential
>benifit of your sugesstion..

perhaps... but like I said, I don't get warm fuzzies when a random packet
can reboot the computer.
-gordo

--
---------------------------------------------------------------
Gordon Oliver	(gordo@telsur.cl)	Independent Consultant
	... Available for consulting on Linux  ...

Next message: Bill Hawes: "patch for 2.1.74 fs/super.c"
Previous message: Nicholas J. Leon: "Re: socket.h errors in ppp compile"