new variation on synflood?

[John Comeau <jcomeau () dialtoneinternet net>]

Over the past few weeks we've seen a new (to us) type of SYN attack which
seems to be using a weakness, if not a bug, in Linux's TCP/IP stack to use any
Linux machine (looks like 2.2.12-20 and 2.2.16-3 at least) to reflect an
attack to any destination. Here's the scenario as I understand it, having
finally taken a few minutes to analyze it:

The IP header shows total packet length 40, meaning 0 data (just 20 bytes each
for IP header and TCP header). But in reality, after 12 bytes of 0's, there is
all kinds of random data, some webpages, some chat traffic, binaries,
whatever, following the TCP header. The packet is to an unused port on the
target, usually a low number such as 2 or 56. The IP's seem to be spoofed,
which allows for the spoofed IPs to be hit equally hard as the target.

The RST from the target has a similar header but includes an equal number of
bytes of garbage, and not necessarily the same garbage either; it just seems
to be getting it from any recently-deallocated RAM.

If necessary, I'll take the time to research it better, and post an exploit if
not a patch. Or does the whole world already know except me?
--
John Comeau - Chief Technology Officer
Dialtone Internet - Extremely Fast Web Systems
954-581-0097  fax://954-581-7629
jcomeau () dialtoneinternet net
http://www.dialtoneinternet.net