From owner-freebsd-security Fri Jan 21 19:53:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 5644C14E46 for ; Fri, 21 Jan 2000 19:53:14 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id TAA66856; Fri, 21 Jan 2000 19:53:07 -0800 (PST) (envelope-from dillon) Date: Fri, 21 Jan 2000 19:53:07 -0800 (PST) From: Matthew Dillon Message-Id: <200001220353.TAA66856@apollo.backplane.com> To: Brett Glass Cc: Dag-Erling Smorgrav , Keith Stevenson , freebsd-security@FreeBSD.ORG Subject: Re: Some observations on stream.c and streamnt.c References: <4.2.2.20000120194543.019a8d50@localhost> <20000121162757.A7080@osaka.louisville.edu> <4.2.2.20000121195112.0196a220@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :... :amplify the attack by triggering ICMP traffic. : :So, one might argue that RSTs could (and should!) be turned off a certain :amount of time after a machine boots. After all, once it's past the :time when they can reasonably used to kill old sessions, they're :pretty much only going to be responses to attacks (see RFC 793). And :they'll allow port probing. : :My preference as a sysadmin would therefore be to rate-limit during :the "cleanup" period but ramp the limit down to zero thereafter. :This might be the best of all worlds for those of us who don't want to :be probed but want to be able to reboot gracefully -- which is what :the protocol designers had in mind. : :--Brett Brett, it's an interesting rationalization, but it's completely wrong. If you think a moment you will find that there are plenty of RST situations long after boot. Think of all those dialup connections where people turn off their modems before disconnecting, for example. At BEST our servers always had a large number of hanging connections from that sort of situation. Now what happens when someone new gets that dynamic dialup IP and connects back to the same server using the same port pair? There are ftp port-pairs, there is the tendancy for machines to reuse port numbers, there are all sorts of problems that RST helps with. Believe me, RST's are useful. Rationalizing them away just isn't going to work. You will wind up with some convoluted set of rules and conditions when all you had to do in the first place was turn on ICMP_BANDLIM. As far as port probing goes: So what? Do you think preventing people from identifying your machine will make it more secure? I got news for you! Most machine compromises come from the inside-out, when your users pick stupid passwords or login from a public library. I would stop worrying about silly things like port probing and instead work on more meaningful security measures. You will only twist yourself in knots and screw up your system with convoluted options that go wayyy to far. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message