Hi! I've read some explanations about the SYN flood DoS attack. I understand that when the attacker fills the listening queue of the attacked host with incomplete connections, the attacked host will not reply to any SYN it receives after that.
However, I don't understand why it will not even reply with an RST when it receives a SYN-ACK from other machine. For example, take a look at the famous Kevin Mitnick's attack. First, Mitnick SYN- floods "server". 14:18:22.516699 130.92.6.97.600 > server.login: S 1382726960:1382726960(0) win 4096 14:18:22.566069 130.92.6.97.601 > server.login: S 1382726961:1382726961(0) win 4096 [....and lots of other SYNs....] Then he spoofes server's IP address and try to connect to x-terminal. He sends a SYN from server to x-terminal. Then I think x-terminal sends a SYN/ACK back to server, BUT server IGNORES it (if not, this attack wouldn't have succeeded). And then Mitnick predicts the TCP sequence number, and sends an ACK, so that he's able to ESTABLISH the connection. 14:18:36.245045 server.login > x-terminal.shell: S 1382727010:1382727010(0) win 4096 14:18:36.755522 server.login > x-terminal.shell: . ack 2024384001 win 4096 My question is why didn't server send an RST in response to the SYN/ACK x-terminal sent to it? I understand that if a host has its listening queue full, it'll ignore the following SYNs, because it has "no resources" to keep sate information for a new connection. But, why doesn't it reply a SYN/ACK with a RST, if it DOES KNOW that that segment doesn't correspond to any current connection? Kind regards, Fernando Gont e-mail: [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
