Date: Wed, 21 Apr 2004 12:30:40 -0400 From: Mike Tancsa <mike@sentex.net> To: freebsd-security@FreeBSD.org Subject: Other possible protection against RST/SYN attacks (was Re: TCP RST attack Message-ID: <6.0.3.0.0.20040421121715.04547510@209.112.4.2> In-Reply-To: <20040421111003.GB19640@lum.celabo.org> References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <xzp65buh5fa.fsf@dwp.des.no> <6.0.3.0.0.20040420144001.0723ab80@209.112.4.2> <200404201332.40827.dr@kyx.net> <20040421111003.GB19640@lum.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
One other technique that might help with respect to this attack is what Cisco implemented, commonly known as the "TTL hack" http://www.nanog.org/mtg-0302/hack.html I have not tried it yet, and I am not sure of the implications. But on bgp speaking hosts, what if the following were done. Assuming these are directly connected peers, sysctl -w net.inet.ip.ttl=255 ipfw add 500 allow tcp from any to me 179 ipttl 255 ipfw add 600 deny log tcp from any to me 179 You would also need to cover the source ports. Not sure what the cleanest looking rule for that would be. What nasty side effects would this cause ? If the attacker were on the same subnet this would not do anything, but you have larger problems if this is the case. ---Mike At 07:10 AM 21/04/2004, Jacques A. Vidrine wrote: >On Tue, Apr 20, 2004 at 01:32:40PM -0700, Dragos Ruiu wrote: > > Also keep in mind ports are predictable to varying degrees depending on > > the vendor or OS, which further reduces the brute force space you have to > > go though without sniffing. > >This is exactly why I ported OpenBSD's TCP ephemeral port allocation >randomization to FreeBSD-CURRENT (although I asked Mike Silby to commit >it for me and take the blame if it broke :-). It will also be MFC'd >shortly in time for 4.10-RELEASE. > >Cheers, >-- >Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.3.0.0.20040421121715.04547510>