Date: Wed, 21 Jun 2000 13:03:07 -0600 From: Brett Glass <brett@lariat.org> To: Mike Silbersack <silby@silby.com>, Maksimov Maksim <maksim@tts.tomsk.su> Cc: freebsd-security@FreeBSD.ORG Subject: Re: How defend from stream2.c attack? Message-ID: <4.3.2.7.2.20000621125756.048b6d80@localhost> In-Reply-To: <Pine.BSF.4.21.0006211113140.60705-100000@achilles.silby.co m> References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:15 AM 6/21/2000, Mike Silbersack wrote: >Is ICMP_BANDLIM enabled? If so, crank net.inet.icmp.icmplim down to 20 or >so, and you should be just as protected as if enabling the restrict RST >option. If it's an ACK flood, limiting RSTs is important because the response to an unexpected ACK is normally supposed to be a RST, not an ICMP packet. The various "stream.c" exploits cause ICMP floods as well, but this is a secondary effect. The ICMP packets are triggered when RSTs from the attacked host(s) hit the upstream router and the spoofed addresses are detected. If there are fewer (or no) RSTs, there will not be an ICMP flood. It's a good idea to turn on ICMP bandwitdh limiting, RST restriction, and SYN+FIN dropping in your kernel configuration and rc.conf. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20000621125756.048b6d80>