From owner-freebsd-security  Wed Jun 21 17:24:36 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id 2A0C937BBA6
	for <freebsd-security@FreeBSD.ORG>; Wed, 21 Jun 2000 17:24:34 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id RAA06201;
	Wed, 21 Jun 2000 17:24:30 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id RAA12308;
	Wed, 21 Jun 2000 17:24:29 -0700 (PDT)
	(envelope-from Don.Lewis@tsc.tdk.com)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA05975;
	Wed, 21 Jun 2000 17:24:29 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <200006220024.RAA05975@salsa.gv.tsc.tdk.com>
Date: Wed, 21 Jun 2000 17:24:29 -0700
In-Reply-To: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su>
References:  <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su>
X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98)
To: "Maksimov Maksim" <maksim@tts.tomsk.su>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: How defend from stream2.c attack?
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jun 21,  5:36pm, "Maksimov Maksim" wrote:
} Subject: How defend from stream2.c attack?
} How defend from stream2.c attack (flooding ACK-packets) on my FreeBSD box?
} I install FreeBSD 4.0-20000608-STABLE, but stream2.c attack freezed this
} FreeBSD box as before!

This version of FreeBSD should be fairly immune to the standard stream2.c
attack (even without ICMP_BANDLIM, which I would recommend using).  It
seems the biggest part of the problem was caused by the incoming packets
which had IP addresses in the multicast range.  We tweaked tcp_input()
so that these get ignored.  We didn't do anything about broadcast source
addresses, so if you are attacked by a variant of stream2 that uses these
you could still have problems.

I would recommend adding packet filter rules that block incoming packets
with IP broadcast addresses, both 255.255.255.255, and the broadcast
address(es) of your local network(s).


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message