One final thing: I would also think it would greatly help linux's image
if the syn flood protection patch became a standard feature of the kernel
(the strong one that uses encryption to generate munged sequence numbers
instead of dropping random connections from the queue). This would make
it more difficult for people to spoof to another machine, pretending to be
a linux machine that is currently on the net. It would allow the linux
machine to respond to requests that come from the machine the attacker is
spoofing to, and reset them (because they arent really there). I think
BSD solved this by separating the syn queue from the syn/ack queue (again
im not sure about this since i havent looked at the tcp code yet, and plus
i only heard this secondhand on irc, it may even be a rumor)...
Thanks to anyone who takes the time to understand this .. :)
-Cowzilla
On Tue, 22 Oct 1996, Zachary Maas wrote:
>
> This may or may not have already been discussed on this
> list but i just recently joined it and have a question
> about linux and "nuke". Is anything being done to prevent
> the ability to "nuke" linux machines, in the sense of lets
> say knocking a user off a irc server sending a spoofed
> ICMP unreachable? Because i know with all Linux versions
> I have used up to and including 2.0.23 i can easily "nuke"
> myself or anyone else off if a irc server or otherwise
> using a program called snuke.c, the only way i have been
> able to prevent the ability of others to "nuke" me is to
> use ipfwadm to deny icmp's to port 3 (-S 0/0 3).
>
> Sorry if i do not have my terminology down pact but i hope
> atleast one person on this list follows me, hehe :)
>
> Thanks,
> Zachary Maas
>
> Ps. once again my apologizes if this subject has already
> been discussed and beaten into the ground on this list.
>