From owner-freebsd-security Wed Jun 21 17:16:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 5305237B95E for ; Wed, 21 Jun 2000 17:16:06 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id RAA06090; Wed, 21 Jun 2000 17:15:48 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id RAA12262; Wed, 21 Jun 2000 17:15:48 -0700 (PDT) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA05962; Wed, 21 Jun 2000 17:15:47 -0700 (PDT) From: Don Lewis Message-Id: <200006220015.RAA05962@salsa.gv.tsc.tdk.com> Date: Wed, 21 Jun 2000 17:15:46 -0700 In-Reply-To: <4.3.2.7.2.20000621125756.048b6d80@localhost> References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <4.3.2.7.2.20000621125756.048b6d80@localhost> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Brett Glass , Mike Silbersack , Maksimov Maksim Subject: Re: How defend from stream2.c attack? Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 21, 1:03pm, Brett Glass wrote: } Subject: Re: How defend from stream2.c attack? } At 10:15 AM 6/21/2000, Mike Silbersack wrote: } } >Is ICMP_BANDLIM enabled? If so, crank net.inet.icmp.icmplim down to 20 or } >so, and you should be just as protected as if enabling the restrict RST } >option. } } If it's an ACK flood, limiting RSTs is important because the response to } an unexpected ACK is normally supposed to be a RST, not an ICMP packet. } } The various "stream.c" exploits cause ICMP floods as well, but this is } a secondary effect. } } The ICMP packets are triggered when RSTs from the attacked host(s) hit the } upstream router and the spoofed addresses are detected. If there are fewer } (or no) RSTs, there will not be an ICMP flood. } } It's a good idea to turn on ICMP bandwitdh limiting, RST restriction, and } SYN+FIN dropping in your kernel configuration and rc.conf. Turning on the RST restriction makes it much easier to spoof TCP connections that appear to come from your machine or to hijack established TCP connections. Also if your machine crashes and reboots, any TCP connections that were established before the crash won't get torn down until they time out (incoming telnet sessions will just hang, and you may not be able to reestablish new outgoing connections if the same port number gets reused). There's nothing an attacker can do with a SYN+FIN attack that can't be done by just sending SYN packets. Disabling SYN+FIN breaks T/TCP. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message