Date: Sat, 24 Apr 2004 08:43:28 -0700 (PDT) From: Alan Evans <evans.alan@sbcglobal.net> To: Andre Oppermann <andre@freebsd.org>, Chuck Swiger <cswiger@mac.com> Cc: net@freebsd.org Subject: Re: TCP vulnerability Message-ID: <20040424154328.24028.qmail@web80105.mail.yahoo.com> In-Reply-To: <408A863E.B6E60792@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I agree, but what's most important is to maintain backward compatibility. If one breaks it, it's a DoS is some sense. I also saw some postings on NetBSD which does ratelimiting of ACKs (in response to SYNs), and ACKs RST. IMHO, the latter is bogus - why ACK a RST? And, the former may impose an artificial limit of some sort. Alan Evans --- Andre Oppermann <andre@freebsd.org> wrote: > Chuck Swiger wrote: > > > > Alan Evans wrote: > > > I'm sure FreeBSD is vulnerable. > > > > > > > http://www.us-cert.gov/cas/techalerts/TA04-111A.html > > > > > > There's a draft that (sort of) addresses this. > Should > > > we adopt it? > > > > This issue is being discussed on freebsd-security > now, and Mike Silbersack > > <silby@silby.com> has some patches available for > review and testing. > > There has been an additional problem in some BSD > stacks with RST's > which has been fixed in FreeBSD about six years ago. > The remaining > things which are addressed in that paper are > hardening measures to > reduce the chances of a brute force blind attack. > There *no* vulner- > ablility in the sense of "send packet x" and > everything breaks. > > -- > Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040424154328.24028.qmail>