Date: Wed, 19 Sep 2001 10:55:53 -0700 From: Erick Mechler <emechler@techometer.net> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: Defense against "Code Rainbow" Message-ID: <20010919105553.J3881@techometer.net> In-Reply-To: <4.3.2.7.2.20010919112438.0598b8b0@localhost>; from Brett Glass on Wed, Sep 19, 2001 at 11:48:18AM -0600 References: <4.3.2.7.2.20010919112438.0598b8b0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
:: Unfortunately, there was a serious problem with this approach. The BSD :: TCP/IP stack apparently does not expect its routing table to be very big, :: and so scans it linearly. This means that, as the list of blackhole :: routes grew, we started to see serious problems with network performance. :: I tried creating ipfw rules instead, but discovered that ipfw scans :: linearly too. What does ipf use? pf? Any ideas for speedups or security :: enhancements? What about using TCP wrapers? I'm not sure of the performance implications of doing so, but maybe it's worth a shot. --Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010919105553.J3881>