On Wed, 01 Oct 2008 12:24:16 -0300 Fernando Gont <[EMAIL PROTECTED]> wrote:
> At 11:13 a.m. 01/10/2008, Duncan Patton a Campbell wrote: > > >" > >Sockstress computes and stores so-called client-side SYN cookies and > >enables Lee and Louis to specify a destination port and IP address. > >The method allows them to complete the TCP handshake without having > >to store any values, which takes time and resources. "We can then > >say that we want to establish X number of TCP connections on that > >address and that we want to use this attack type, and it does it," Lee said. > >" > > This is simply the naphta attack. They don't really need to "use syn > cookies". They could simply ACK any SYN/ACK they receive, and that's it. > The impression I got is that they collect enough SYN cookies from the server to crack the server's secret (24bit) and THEN they can forge any number of acks to the server's syn cookie that contain bogus ip/ports but with the correct sequence/hash. If this is not the case then it is nothing new. Dhu > The attack is not new, and they are not proposing any counter-measures. > > It doesn't mean does this does not need attention... but they are not > making any new contribution to the issue. > > Kind regards, > > -- > Fernando Gont > e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
