Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Jun 2000 17:15:46 -0700
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        Brett Glass <brett@lariat.org>, Mike Silbersack <silby@silby.com>, Maksimov Maksim <maksim@tts.tomsk.su>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: How defend from stream2.c attack?
Message-ID:  <200006220015.RAA05962@salsa.gv.tsc.tdk.com>
In-Reply-To: <4.3.2.7.2.20000621125756.048b6d80@localhost>
References:  <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <4.3.2.7.2.20000621125756.048b6d80@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Jun 21,  1:03pm, Brett Glass wrote:
} Subject: Re: How defend from stream2.c attack?
} At 10:15 AM 6/21/2000, Mike Silbersack wrote:
}   
} >Is ICMP_BANDLIM enabled?  If so, crank net.inet.icmp.icmplim down to 20 or
} >so, and you should be just as protected as if enabling the restrict RST
} >option.
}
} If it's an ACK flood, limiting RSTs is important because the response to 
} an unexpected ACK is normally supposed to be a RST, not an ICMP packet.
} 
} The various "stream.c" exploits cause ICMP floods as well, but this is
} a secondary effect. 
} 
} The ICMP packets are triggered when RSTs from the attacked host(s) hit the 
} upstream router and the spoofed addresses are detected. If there are fewer 
} (or no) RSTs, there will not be an ICMP flood.
} 
} It's a good idea to turn on ICMP bandwitdh limiting, RST restriction, and
} SYN+FIN dropping in your kernel configuration and rc.conf.

Turning on the RST restriction makes it much easier to spoof TCP connections
that appear to come from your machine or to hijack established TCP
connections.  Also if your machine crashes and reboots, any TCP connections
that were established before the crash won't get torn down until they
time out (incoming telnet sessions will just hang, and you may not be able
to reestablish new outgoing connections if the same port number gets
reused).

There's nothing an attacker can do with a SYN+FIN attack that can't be
done by just sending SYN packets.  Disabling SYN+FIN breaks T/TCP.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006220015.RAA05962>