Re: Two questions

From: Blake Frantz (blakeat_private)
Date: Fri Apr 13 2001 - 09:55:54 PDT

Next message: Shafik Yaghmour: "Re: Two questions"

Previous message: Jon O.: "Re: Yet another Linux bind worm ?"
In reply to: Portnoy, Gary: "Two questions"
Next in thread: Shafik Yaghmour: "Re: Two questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

To the best of my knowledge, the DoS'ed sever does not respond and the
connection times out.

RST's are sent whenever a TCP segment arrives that isn't correct
for the current connection (ie no listening service.).

If there is a service listening on the requested port and the
service/daemon is out of available connections, the TCP stack doesn't send
anything back unless the daemon is smart enough to realize it and *tells*
the stack to send data (ie license violation...).

(correct me if I'm mistaken)

It does not send ICMP Source Quench unless (depending on which RFC your
router conforms to) the DoS has saturated the routers buffers.

<TCP Illustrated>
RFC 1009 (1987) requires routers to generate source quench packets when it
runs out of buffers.

The new Router Requirements RFC(Almquist 1993) changes this and says that
a router must not originate source quench errors because is consumes
network bandwidth and is ineffective.
</TCP Illustrated>

as for question two....

I would fire up netcat and let my sniffer do the logging.

Blake

=================================================================
The Government, like diapers, should be replaced regularly, and
often for the same reasons.

On Thu, 12 Apr 2001, Portnoy, Gary wrote:

> Greetings
>
> Two completely unrelated questions:
>
> 1.  If a machine is being SYN flooded, once the connection queue is filled,
> is it
> a) going to respond with RST,
> b) going to respond with ICMP Source Quench
> c) not going to respond at all.
>
> The reason I am asking is that once in a while, I see packets with R and A
> bits set destined to a few hosts on my network that are silent.  The only
> logical explanation is that their IP's are used in a spoofed flood attack,
> and the RSTACK are the residuals.  Am I correct?
>
> 2.  Is there an app, that'll listen on assigned ports, complete the 3 way
> handshake, and log everything that's sent to it.  I want to be able to log
> the various exploits without actually running the vulnerable services, so
> something that listens on port 111, or 53, or 21 and logs the connections
> would be great.  Can netcat do this?  After this email, I am going to go
> play....
>
> Thanks
> -Gary-
>
> Gary Portnoy
> Network Administrator
> gportnoyat_private
>
> PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C
>

Next message: Shafik Yaghmour: "Re: Two questions"
Previous message: Jon O.: "Re: Yet another Linux bind worm ?"
In reply to: Portnoy, Gary: "Two questions"
Next in thread: Shafik Yaghmour: "Re: Two questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Apr 14 2001 - 09:19:47 PDT