ZMUD and SYN attacks?

Date: 07/12/97


We have experienced an interesting problem that I am curious as to
whether anyone else has seen... and might have recommendations on
how to address.  The environment is heavily modified circle 3.0bp11.

The symptoms:

1) The Linux kernel (2.0.30 with SYN and RST cookies enabled) reports:
   Warning: possible SYN flooding. Sending Cookies.
   (the warning  is sometimes repeated many many times) then...
   validated probe(1d8b22cf, 50e660ce, 1846, 4000, 1222112936)

2) Usually concurrent with this we also see MANY instances in the
   circle syslog of:
   [ Losing descriptor without char. ]

After sniffing the lan trying to catch the alleged SYN flooder, we
find the packets originating from a player that has shown no tendenancy
to attack the mud in the past.  Further, most SYN attacks disguise
the origin IP address and use random destination port numbers... such
is not the case here.  We suspect that this was not a malicious attack.

The player advises that she is using ZMUD 4.58 with autologin enabled.
It is not difficult to envision how the autologin, in marginal network
conditions, can produce this symptom.

So... assuming that ZMUD does not have an autologin bug... I thought
I might draw upon the collective wisdom of this list for ideas.


Matthew C. Petty
Age of War: 4000

      | Ensure that you have read the CircleMUD Mailing List FAQ: |
      |   |

This archive was generated by hypermail 2b30 : 12/08/00 PST