Date: Wed, 21 Jun 2000 17:51:19 +0200 (CEST) From: Bart van Leeuwen <bart@ixori.demon.nl> To: Brett Glass <brett@lariat.org> Cc: Maksimov Maksim <maksim@tts.tomsk.su>, freebsd-security@freebsd.org Subject: Re: How defend from stream2.c attack? Message-ID: <Pine.BSF.4.21.0006211728580.2476-100000@isengard.ixori.demon.nl> In-Reply-To: <4.3.2.7.2.20000621085414.045fdaa0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
It looks like the assumption that you need to build a new kernel for getting the option to limit sending out RSTs is correct. (the GENERIC config file doesn't contain the options, and sysctl shows the vars aren't there ;-) You'll need to add the correct lines to the config file... not just recompile, but I guess thats obvious to all except for a very inexperienced user. What I do wonder about however is if that option will help here. I can see how it would help against syn floods and maybe syn+ack floods. To me it seems like tis solves a bandwidth saturation problem, not a local freeze of the machine (tho it could because of just not running out of resources due to this restriction maybe). I'd be very interested to hear why it might help here to enhance my understanding of tcp/ip and fbsd's stack. btw, imho limiting RST on SYN+ACK might very well cause syn flooding another host when some bugger happens to use your IP as a decoy in an nmap scan for example. If nothing else works then you could always rate limit or drop those packets (or possible replies) with a statefull ipfw + dummynet ;-) Oh... which stream2.c do you mean? (I have a couple of files by that name on my system, and knowing which one you are talking about might help to provide you with a tested and much more concrete solution if there is any ;-) Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- On Wed, 21 Jun 2000, Brett Glass wrote: > Have you turned on the kernel flag that restricts emission of > RST packets? I am not sure, but I think that Matt -- who is a > stickler for RFC compliance -- may have set things up so that > one must recompile the kernel before the flag will work. > > --Brett > > At 03:36 AM 6/21/2000, Maksimov Maksim wrote: > > >How defend from stream2.c attack (flooding ACK-packets) on my FreeBSD box? > >I install FreeBSD 4.0-20000608-STABLE, but stream2.c attack freezed this > >FreeBSD box as before! > >Help! > > > >Best regards, > >Maks Maksimov mailto:maksim@tts.tomsk.su > > > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0006211728580.2476-100000>