Sockstress
Oliver Fromme
olli at lurza.secnetix.de
Thu Oct 9 13:38:35 UTC 2008
This is the wrong mailing list, you should send this
to the -security list.
By the way, this kind of attack isn't really new
(as far as I can tell from the few information that
have been made public so far). One way to mitigate
it is to limit the number of open connections per
remote IP address; you can easily do that with PF
or IPFW ("limit" option).
Best regards
Oliver
Lukasz Jaroszewski <sigtrm at gmail.com> wrote:
> Hi,
> I am wondering about sockstres informations recently published. I cant
> really figure what new they could found. Do we have anything to worry about?
> ;-)
>
> http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html
>
> ``(...)Sockstress computes and stores so-called client-side SYN cookies and
> enables Lee and Louis to specify a destination port and IP address. The
> method allows them to complete the TCP handshake without having to store any
> values, which takes time and resources. "We can then say that we want to
> establish X number of TCP connections on that address and that we want to
> use this attack type, and it does it," Lee said.(...)''
>
> ``(...)Lee said that when and _if_ specific vendors develop workarounds for
> the issues, they will release details of those issues.(...)''
>
> Was FreeBSD team contacted? ;)
>
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"Unix gives you just enough rope to hang yourself --
and then a couple of more feet, just to be sure."
-- Eric Allman
More information about the freebsd-hackers
mailing list