From owner-freebsd-security@FreeBSD.ORG  Tue Nov 22 19:48:57 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 99FCF16A41F
	for <freebsd-security@freebsd.org>;
	Tue, 22 Nov 2005 19:48:57 +0000 (GMT)
	(envelope-from freebsd-security-local@be-well.ilk.org)
Received: from mail23.sea5.speakeasy.net (mail23.sea5.speakeasy.net
	[69.17.117.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FE1B43D60
	for <freebsd-security@freebsd.org>;
	Tue, 22 Nov 2005 19:48:53 +0000 (GMT)
	(envelope-from freebsd-security-local@be-well.ilk.org)
Received: (qmail 6734 invoked from network); 22 Nov 2005 19:48:47 -0000
Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org)
	([66.92.78.145])
	(envelope-sender <freebsd-security-local@be-well.ilk.org>)
	by mail23.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP
	for <freebsd-security@freebsd.org>; 22 Nov 2005 19:48:47 -0000
Received: by be-well.ilk.org (Postfix, from userid 1147)
	id 7096D2841B; Tue, 22 Nov 2005 14:48:46 -0500 (EST)
Sender: lowell@be-well.ilk.org
To: freebsd-security@freebsd.org
References: <20051122120112.9D83516A423@hub.freebsd.org>
	<20051122075050.I81101@roble.com> <43836D25.5000101@kernel32.de>
	<20051122112344.U18517@roble.com>
From: Lowell Gilbert <freebsd-security-local@be-well.ilk.org>
Date: 22 Nov 2005 14:48:46 -0500
In-Reply-To: <20051122112344.U18517@roble.com>
Message-ID: <44br0cqx9d.fsf@be-well.ilk.org>
Lines: 14
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: Need urgent help regarding security
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2005 19:48:57 -0000


> >Be careful with adding ip addresses to deny via a packet filter.
> >If an attacker uses spoofed IP adresses, you may produce yourself
> >easily a denial of service attack.
> 
> Not sure I agree with the easily part.  TCP transport plus SSH
> protocol spoofing is not a vector that normally needs to be secured
> beyond what is already done in the kernel and router.  That's not to
> say such spoofing cannot be done, just that it is rare and would
> require a compromised router or localnet host at a minimum.

Except that it doesn't require spoofed addresses.  One attacker from the
local university's computer center (or from a large shell service ISP)
could lock out all of the other users on that machine.  Trivially.