From owner-freebsd-security@FreeBSD.ORG Wed Apr 21 09:29:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 547D216A4CE; Wed, 21 Apr 2004 09:29:50 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF1F343D58; Wed, 21 Apr 2004 09:29:49 -0700 (PDT) (envelope-from mike@sentex.net) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by smtp3.sentex.ca (8.12.11/8.12.10) with ESMTP id i3LGTkQt029031; Wed, 21 Apr 2004 12:29:46 -0400 (EDT) (envelope-from mike@sentex.net) Received: from localhost (localhost [127.0.0.1]) by avscan2.sentex.ca (Postfix) with ESMTP id EF19E59CA6; Wed, 21 Apr 2004 12:29:48 -0400 (EDT) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 04772-03; Wed, 21 Apr 2004 12:29:48 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan2.sentex.ca (Postfix) with ESMTP id D6B6359CA4; Wed, 21 Apr 2004 12:29:48 -0400 (EDT) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i3LGTjcV044159; Wed, 21 Apr 2004 12:29:45 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040421121715.04547510@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Wed, 21 Apr 2004 12:30:40 -0400 To: freebsd-security@FreeBSD.org From: Mike Tancsa In-Reply-To: <20040421111003.GB19640@lum.celabo.org> References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <6.0.3.0.0.20040420144001.0723ab80@209.112.4.2> <200404201332.40827.dr@kyx.net> <20040421111003.GB19640@lum.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at (avscan2) sentex.ca Subject: Other possible protection against RST/SYN attacks (was Re: TCP RST attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2004 16:29:50 -0000 One other technique that might help with respect to this attack is what Cisco implemented, commonly known as the "TTL hack" http://www.nanog.org/mtg-0302/hack.html I have not tried it yet, and I am not sure of the implications. But on bgp speaking hosts, what if the following were done. Assuming these are directly connected peers, sysctl -w net.inet.ip.ttl=255 ipfw add 500 allow tcp from any to me 179 ipttl 255 ipfw add 600 deny log tcp from any to me 179 You would also need to cover the source ports. Not sure what the cleanest looking rule for that would be. What nasty side effects would this cause ? If the attacker were on the same subnet this would not do anything, but you have larger problems if this is the case. ---Mike At 07:10 AM 21/04/2004, Jacques A. Vidrine wrote: >On Tue, Apr 20, 2004 at 01:32:40PM -0700, Dragos Ruiu wrote: > > Also keep in mind ports are predictable to varying degrees depending on > > the vendor or OS, which further reduces the brute force space you have to > > go though without sniffing. > >This is exactly why I ported OpenBSD's TCP ephemeral port allocation >randomization to FreeBSD-CURRENT (although I asked Mike Silby to commit >it for me and take the blame if it broke :-). It will also be MFC'd >shortly in time for 4.10-RELEASE. > >Cheers, >-- >Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org