Re: [admin] ZMUD and SYN attacks?

From: Leonardo Herrera (leherrer@ENTELCHILE.NET)
Date: 07/21/97

mcp@DRAPER.NET wrote:
> Hi,
> We have experienced an interesting problem that I am curious as to
> whether anyone else has seen... and might have recommendations on
> how to address.  The environment is heavily modified circle 3.0bp11.
> The symptoms:
> 1) The Linux kernel (2.0.30 with SYN and RST cookies enabled) reports:
>    Warning: possible SYN flooding. Sending Cookies.
>    (the warning  is sometimes repeated many many times) then...
>    validated probe(1d8b22cf, 50e660ce, 1846, 4000, 1222112936)
> 2) Usually concurrent with this we also see MANY instances in the
>    circle syslog of:
>    [ Losing descriptor without char. ]
> After sniffing the lan trying to catch the alleged SYN flooder, we
> find the packets originating from a player that has shown no tendenancy
> to attack the mud in the past.  Further, most SYN attacks disguise
> the origin IP address and use random destination port numbers... such
> is not the case here.  We suspect that this was not a malicious attack.
> The player advises that she is using ZMUD 4.58 with autologin enabled.
> It is not difficult to envision how the autologin, in marginal network
> conditions, can produce this symptom.
> So... assuming that ZMUD does not have an autologin bug... I thought
> I might draw upon the collective wisdom of this list for ideas.

> Matthew C. Petty
> ---------------------------------------
> Age of War: 4000
>              (

I play some MUD's using zMud. I've noted that zMUD throw the message
"Connected to x.x.x.x" when it connects... That's nothing special, but
sometimes throws this message two or three times before connect. I
connect with zMUD to my own Mud, and when I make a 'users' command, I
get 3 users without char (in CON_GET_NAME state). Well... i don't know
what means this, but...


P.S. : I'll get english lessons. Someday, i think...
Leonardo Herrera L.

     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     | |

This archive was generated by hypermail 2b30 : 12/08/00 PST