From owner-freebsd-security@FreeBSD.ORG Wed Apr 21 23:47:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6089616A4CE for ; Wed, 21 Apr 2004 23:47:11 -0700 (PDT) Received: from cray.e-card.bg (www.ahtopol-sunnyday.com [212.91.167.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FAA443D46 for ; Wed, 21 Apr 2004 23:47:10 -0700 (PDT) (envelope-from altares@cray.e-card.bg) Received: from cray.e-card.bg (localhost [127.0.0.1]) by cray.e-card.bg (8.12.9/8.12.9) with ESMTP id i3M6l9Um029692; Thu, 22 Apr 2004 09:47:09 +0300 (EEST) (envelope-from altares@cray.e-card.bg) Received: (from altares@localhost) by cray.e-card.bg (8.12.9/8.12.9/Submit) id i3M6l71c029691; Thu, 22 Apr 2004 09:47:07 +0300 (EEST) Date: Thu, 22 Apr 2004 09:47:07 +0300 From: Rumen Telbizov To: Mike Tancsa Message-ID: <20040422064707.GE8709@e-card.bg> References: <20040421165454.GB20049@lum.celabo.org> <6.0.3.0.0.20040421132605.0901bb40@209.112.4.2> <48FCF8AA-93CF-11D8-9C50-000393C94468@sarenet.es> <6.0.3.0.0.20040421161217.05453308@209.112.4.2> <75226E9B-93D3-11D8-90F9-003065ABFD92@mac.com> <4086E522.7090303@comcast.net> <20040421214445.GX476@seekingfire.com> <4086EED7.3070808@comcast.net> <4086F156.7040808@comcast.net> <6.0.3.0.0.20040421202553.08107ad0@209.112.4.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.3.0.0.20040421202553.08107ad0@209.112.4.2> User-Agent: Mutt/1.4.2.1i cc: freebsd-security@freebsd.org Subject: Re: Other possible protection against RST/SYN attacks (was Re: TCP RST attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Apr 2004 06:47:11 -0000 Hi On Wed, Apr 21, 2004 at 08:32:32PM -0400, Mike Tancsa wrote: > At 06:10 PM 21/04/2004, Gary Corcoran wrote: > > >>In any event, it still seems like a TTL of 255 is overkill for this > >>application... > > > >Unless, of course, you want to only accept packets with TTL > >of 255. This might be fine when both ends are setup to work > >this way. > > Yes, but thats the whole point of it. By having the 2 BGP speakers *only* > accept packets that have a TTL of 255, you are safe to bet it has not come > across another router as no one has decremented the TTL value. > Just a comment on the topic: How about if _accidentally_ the routers are configured with the following option (or similar)? # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the ttl). This can be useful to hide firewalls # from traceroute and similar tools. If the packet has been generated with ttl == 255 it would arrive with ttl == 255 to you after all, if all the routers are using this option! Just a thought! Rumen Telbizov