> OpenBSD has a random TCP timestamp header so an attacker is going to have > a difficult time predicting when the 10s timeout was first inserted into > the wheel. Remember PF prunes the whole tree of expired states every > timeout interval, we don't insert a timeout into the wheel for every > state or reassembly queue.
Sorry about that. Now that you mention it, I do remember hearing about timestamp randomization before. But I thought this only affects the timestamp that's sent back to the attacker, so he can't make assumptions about the system clock for purposes of, say, identifying the OS or determining uptime, based on how different systems start counting on timestamps. I figure, the state timeout system simply removes states that have existed with no additional traffic after a certain, knowable amount of time (for instance, if TCP.first is 10 seconds, then 10 seconds after that SYN arrives, the state is removed). My assumption was that the attacker was completely ignoring any response generated by the server, including timestamps, SYN/ACKs, whatever. It's just series of timed SYN bursts which attempt to accomplish similar goals (in terms of state exhaustion) as a SYNflood while not actually taking the entire system down. I'm really not even sure what use timestamps are to an attacker beyond gathering the type of info one might otherwise try to gather from ip-id profiling (defeated as of 3.3, yeah!). Maybe there's an insertion attack sorta like an ISN prediction attack based on it somewhere, but these weren't the kinds of attacks I was thinking of... Are timestamps used for something more important than what I was thinking of? > Perusing the PF source would probably do you some good. Some > implementation experience to back up the theory. Yeah, point well taken. It's already on my list of things I really ought to do before shooting my mouth [keyboard] off in discussion groups. I'm sure everyone benefits from a little theory now and then, even from inept coders like myself; it takes a lot of different kind of minds working together to produce a throroughly secure firewall. But in any event, I *am* planning on some day delving into the Mighty Monstrosity that is the Kernel, and hopefully I'll have some code to attach to future submissions. In the meantime, thanks for putting up with me. __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
