Re: serious flaw exposed via filters

Robert Hanson (roberth@cet.com)
Mon, 16 Sep 1996 09:54:37 -0700 (PDT)

it might be helpful to see the filter with any appropriate addresses and
or networks with

a's, b's, c's, and x's in place of the numbers...

otherwise how could we help?

--->
Robert H. Hanson LAN/WAN Consultant - Internet Service Provider
Otis Orchards, Wa. Cutting Edge Communications www.cet.com
(509) 927-9541 finger: info@cet.com or email: roberth@cet.com

On Mon, 16 Sep 1996, Kai wrote:

> I sent the following off to support@livingston.com, but feel like sharing
> this is a good idea:
> -----------------------
>
> Hi there,
>
> given the recent widespread attacks on the infrastructure of the Internet via
> the SYN Flood tool published in 2600 and Phrack magazine, I decided to
> install outgoing filters on the ethernet ports of our portmasters.
> I opted for the 'log' option in the final 'deny' line.
>
> To my big surprise, the log started reporting denied packets that should
> NEVER have traversed the interface in outbound direction.
>
> After some detailed analysis, it looks like IP traffic that is directed
> by far away hosts at a local PPP dialup user who has JUST DISCONNECTED
> makes the PM (ComOS 3.3.2 release) feel like putting those packets BACK
> on the ethernet. And it's doing this for quite some time: an extreme
> case in the logs after a user disconnected shows about 200 logged deny's
> over a period of 3 minutes and 40 seconds !
>
> Obviously, this is a bad situation: it makes use of the log statement for
> the purpose of detecting spoofed IP packets useless, just at a time when
> we need it most: early detection of SYN flood attempts by 15-year-old-
> hormon-laden-king-of-the-hill-linux-weilding-IRC-warrrior-warez-trading
> "users" , causing thousands of dollars of damages by executing a small
> C program....
>
> bye,Kai
>