Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Port Flood
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Tue Jun 24, 2003 8:36 pm    Post subject: Port Flood Reply with quote

What exactly is a port flood and how does it work?
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
sschlueter
Guru
Guru


Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany

PostPosted: Tue Jun 24, 2003 9:00 pm    Post subject: Re: Port Flood Reply with quote

puggy wrote:
What exactly is a port flood and how does it work?


Do you mean syn flood?
Back to top
View user's profile Send private message
pYrania
Retired Dev
Retired Dev


Joined: 27 Oct 2002
Posts: 650
Location: Cologne - Germany

PostPosted: Tue Jun 24, 2003 9:15 pm    Post subject: Reply with quote

flooding a specific port until the service can't handle it anymore and crashes. used for total system crashes or in giving you some system access you won't normally gain ;-)
_________________
Markus Nigbur
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Tue Jun 24, 2003 9:28 pm    Post subject: Re: Port Flood Reply with quote

sschlueter wrote:
puggy wrote:
What exactly is a port flood and how does it work?


Do you mean syn flood?


OMG this page is the most hideous on the eyes.
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Tue Jun 24, 2003 10:03 pm    Post subject: Reply with quote

Cheers. That was what I was looking for. Don't worry. I'm not going to be doing any DoS attacks. I can't believe anyone is still vulnerable to them!

Puggy
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
FuR
n00b
n00b


Joined: 04 Mar 2003
Posts: 34

PostPosted: Tue Jun 24, 2003 10:16 pm    Post subject: Reply with quote

Quote:
I can't believe anyone is still vulnerable to them!


Well no matter what service you are running, be it http, ssh, ftp, telnet or whatever. If there is a huge amount of request trying to access a service, there will be a time when it just cant handle those requests and start dropping the new ones because it is trying to serve the 7000 ones that came before it. There really isn't too much any application can to to prevent this because its job as a service is to serve the requests.
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Tue Jun 24, 2003 10:24 pm    Post subject: Reply with quote

FuR wrote:
Quote:
I can't believe anyone is still vulnerable to them!


Well no matter what service you are running, be it http, ssh, ftp, telnet or whatever. If there is a huge amount of request trying to access a service, there will be a time when it just cant handle those requests and start dropping the new ones because it is trying to serve the 7000 ones that came before it. There really isn't too much any application can to to prevent this because its job as a service is to serve the requests.


Yes, but its been prevented by limiting the number of half-open TCP connections.
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
sschlueter
Guru
Guru


Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany

PostPosted: Tue Jun 24, 2003 11:52 pm    Post subject: Reply with quote

puggy wrote:
Yes, but its been prevented by limiting the number of half-open TCP connections.


No! Synflooding works regardless of whether you limit the number of half-open TCP connections or not.

It's really hard to understand. Let me try to explain. English is not my native language but I'll try anyway.

Memory has to be allocated for each half-open TCP connection. This is neccessary because the target system has to check whether the TCP handshake was done properly. If there is no limit, an attacker could cause all memory of the system to be allocated (resource exhaustion attack). If there is a limit, an attacker can fill up the available entries of the array/list/whatever so that no new connections can be accepted because there is no space left to store the information for the half-open connection. Usually, this situation doesn't occur even with a very busy webserver because each entry usually lasts only for a very short time, namely, until the tcp connection is fully established. But the attack works because the attacker spoofs his/her source address to a nonexistant address or that of a dead system (it's important that there won't be an answer to the SYN/ACK reply) so that the half open connection remains in the array/list/whatever for a long time, namely, until a timeout occurs.

Traditionally, there is nothing you can do against a syn flood attack. The only solution is to find a way to be able to check the validity of the last ACK of the tcp handshake without allocating any memory previously. This has in fact been implemented, and it's called "syn cookies". The rough idea is do "encode" some information that help to verify the validity of the final ACK inside the initial sequence number of the SYN/ACK that can be "decrypted" when the ACK arrives. This way, the system doesn't need to allocate any memory to store information for the first SYN. The linux kernel can use syn cookies if the kernel was compiled with syn cookies support. FreeBSD has syn cookies support, too.

The document you have linked to is very old. At that time, the official linux kernel didn't have syn cookies support.

A note to FuR and pYrania: You are probably talking about something different. Flooding a service after the tcp connection is established is a different kind of problem.
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Wed Jun 25, 2003 12:00 am    Post subject: Reply with quote

I see what you mean. All that is prevented is the server running out ot memory.
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
dice
Guru
Guru


Joined: 21 Apr 2002
Posts: 577

PostPosted: Wed Jun 25, 2003 2:22 am    Post subject: Reply with quote

If you had an IDS running you could configure it so that if there were an inordinate number of connection requests from a host the IDS could notify the firewall to blacklist said host. Of course if someone knew about this protection mechanism they could then use spoofed connection requests to cause your firewall to block traffic from arbitrary hosts. Then again you could explicity configure your firewall to always allow traffic to/from certain hosts, but said attacker would then know that they could use that host's address to launch attacks.

Networking security is fun!
Back to top
View user's profile Send private message
pizen
Apprentice
Apprentice


Joined: 23 Jun 2002
Posts: 213
Location: Atlanta, GA, USA

PostPosted: Wed Jun 25, 2003 2:22 pm    Post subject: Reply with quote

There is no security if you're going up against a smart attacker. The only thing you can do is remove yourself from the network but that's no fun.
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Wed Jun 25, 2003 2:28 pm    Post subject: Reply with quote

pizen wrote:
There is no security if you're going up against a smart attacker. The only thing you can do is remove yourself from the network but that's no fun.


To be honest. I'm really not worth hacking and I think that as long as your safe and as smart as the attacker then theres no reason why you should be compromised.
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
pizen
Apprentice
Apprentice


Joined: 23 Jun 2002
Posts: 213
Location: Atlanta, GA, USA

PostPosted: Wed Jun 25, 2003 2:38 pm    Post subject: Reply with quote

puggy wrote:
To be honest. I'm really not worth hacking and I think that as long as your safe and as smart as the attacker then theres no reason why you should be compromised.

I'm really speaking of DoS and why anyone would care to DoS a small system is beyond me.
Back to top
View user's profile Send private message
patan
n00b
n00b


Joined: 19 Feb 2003
Posts: 66

PostPosted: Thu Jun 26, 2003 8:07 am    Post subject: Reply with quote

pizen wrote:

I'm really speaking of DoS and why anyone would care to DoS a small system is beyond me.


On the other hand if someone wants to DoS something (for whatever reason) and don't have the resources to aim big I wouldn't be surpriced if they DoS small systems.
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Thu Jun 26, 2003 1:08 pm    Post subject: Reply with quote

patan wrote:
pizen wrote:

I'm really speaking of DoS and why anyone would care to DoS a small system is beyond me.


On the other hand if someone wants to DoS something (for whatever reason) and don't have the resources to aim big I wouldn't be surpriced if they DoS small systems.


If they did it to me though I'd just block some ports on my firewall for a few hours. No problem. :-D Its not as if I have thousands of users trying to log on all the time.
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
idl
Retired Dev
Retired Dev


Joined: 24 Dec 2002
Posts: 1728
Location: Nottingham, UK

PostPosted: Thu Jun 26, 2003 1:16 pm    Post subject: Reply with quote

puggy wrote:
patan wrote:
pizen wrote:

I'm really speaking of DoS and why anyone would care to DoS a small system is beyond me.


On the other hand if someone wants to DoS something (for whatever reason) and don't have the resources to aim big I wouldn't be surpriced if they DoS small systems.


If they did it to me though I'd just block some ports on my firewall for a few hours. No problem. :-D Its not as if I have thousands of users trying to log on all the time.


It takes more than just blocking a port. Even if a port is blocked or nothing is running on it, the server still takes in the packet and decides what to do with it. If its set to drop the packet then you've only got imbound traffic filling the line, if its set to reject you have the failure packet going back out aswell. If you have a lot of zombie servers all sending packets to the same IP address, the server may be powerfull enough to handle it, but the connection its hosted on may not. So either way, the server goes down or the connection gets filled - people wont be able to access the site and the doser has achieved his/her goal.
_________________
a.k.a port001
Found a bug? Please report it: Gentoo Bugzilla
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Thu Jun 26, 2003 1:25 pm    Post subject: Reply with quote

port001 wrote:
puggy wrote:
patan wrote:
pizen wrote:

I'm really speaking of DoS and why anyone would care to DoS a small system is beyond me.


On the other hand if someone wants to DoS something (for whatever reason) and don't have the resources to aim big I wouldn't be surpriced if they DoS small systems.


If they did it to me though I'd just block some ports on my firewall for a few hours. No problem. :-D Its not as if I have thousands of users trying to log on all the time.


It takes more than just blocking a port. Even if a port is blocked or nothing is running on it, the server still takes in the packet and decides what to do with it. If its set to drop the packet then you've only got imbound traffic filling the line, if its set to reject you have the failure packet going back out aswell. If you have a lot of zombie servers all sending packets to the same IP address, the server may be powerfull enough to handle it, but the connection its hosted on may not. So either way, the server goes down or the connection gets filled - people wont be able to access the site and the doser has achieved his/her goal.


It's a hardware firewall. :-D
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
Haro
n00b
n00b


Joined: 17 May 2003
Posts: 71
Location: West Bend, WI

PostPosted: Thu Jun 26, 2003 1:33 pm    Post subject: Reply with quote

puggy wrote:
It's a hardware firewall. :-D

Even though, A packet has to reach your firewall before the firewall can filter it. This is why DoS attacks are pretty much impossible to prevent.
Back to top
View user's profile Send private message
pizen
Apprentice
Apprentice


Joined: 23 Jun 2002
Posts: 213
Location: Atlanta, GA, USA

PostPosted: Thu Jun 26, 2003 1:43 pm    Post subject: Reply with quote

Haro wrote:
puggy wrote:
It's a hardware firewall. :-D

Even though, A packet has to reach your firewall before the firewall can filter it. This is why DoS attacks are pretty much impossible to prevent.

Yeah, the DoS won't crash your machine but it will saturate your pipe to the point that it becomes unusable.
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Thu Jun 26, 2003 1:45 pm    Post subject: Reply with quote

pizen wrote:
Haro wrote:
puggy wrote:
It's a hardware firewall. :-D

Even though, A packet has to reach your firewall before the firewall can filter it. This is why DoS attacks are pretty much impossible to prevent.

Yeah, the DoS won't crash your machine but it will saturate your pipe to the point that it becomes unusable.


Ah well. I don't suppose it's going to happen anyway. :-D
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
simcop2387
Apprentice
Apprentice


Joined: 14 Aug 2002
Posts: 200
Location: Galactic Sector ZZ9 Plural Z Alpha

PostPosted: Thu Jun 26, 2003 4:35 pm    Post subject: Reply with quote

thats why you go and attack him right back!
Back to top
View user's profile Send private message
pizen
Apprentice
Apprentice


Joined: 23 Jun 2002
Posts: 213
Location: Atlanta, GA, USA

PostPosted: Thu Jun 26, 2003 4:53 pm    Post subject: Reply with quote

simcop2387 wrote:
thats why you go and attack him right back!

And with my luck the fbi comes knocking on MY door.
Back to top
View user's profile Send private message
Senso
Apprentice
Apprentice


Joined: 17 Jun 2003
Posts: 250
Location: Montreal, Quebec

PostPosted: Thu Jun 26, 2003 7:49 pm    Post subject: Reply with quote

Best example of DoS: Have your website on the Slashdot main page.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum