From owner-freebsd-security Wed Sep 19 11:20:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 9AD9737B415 for ; Wed, 19 Sep 2001 11:20:16 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f8JHGFa31255; Wed, 19 Sep 2001 10:16:15 -0700 (PDT) Date: Wed, 19 Sep 2001 10:16:15 -0700 (PDT) From: David Kirchner X-X-Sender: To: Brett Glass Cc: Subject: Re: Defense against "Code Rainbow" In-Reply-To: <4.3.2.7.2.20010919112438.0598b8b0@localhost> Message-ID: <20010919101020.B85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 19 Sep 2001, Brett Glass wrote: > Unfortunately, there was a serious problem with this approach. The BSD > TCP/IP stack apparently does not expect its routing table to be very big, > and so scans it linearly. Something I've wanted to implement but haven't because I'm not really knowledgable enough is a sysctl that would enable/disable dynamic route creation. It's so rare that any one of these /32 routes the server creates will ever be different than any of the others that it's just a waste of resources for the system to track them. Those that want to route with their BSD box would leave dynamic routes enabled. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message