From owner-freebsd-net Fri Oct 4 10:34: 4 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23A5F37B401 for ; Fri, 4 Oct 2002 10:34:04 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id AE28E43E4A for ; Fri, 4 Oct 2002 10:34:03 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 21437 invoked from network); 4 Oct 2002 17:34:02 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 4 Oct 2002 17:34:02 -0000 Message-ID: <3D9DD109.6030105@tenebras.com> Date: Fri, 04 Oct 2002 10:34:01 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: John Polstra Cc: net@freebsd.org, julian@elischer.org Subject: Re: Anyone T/TCP? References: <200210041722.g94HMrbG002976@vashon.polstra.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org John Polstra wrote: > Accepting incoming T/TCP creates a pretty serious DoS vulnerability, > doesn't it? The very first packet contains the request, which the > server must act upon and reply to without further delay. There is no > 3-way handshake, so a simple attack using spoofed source addresses can > impose a huge load on the victim. Right. It's reasonable to use T/TCP when the transactions contain an authenticator, and in a VPN. For public access, it's subject to attacks for which there are no adequate countermeasures. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message