From owner-freebsd-security@FreeBSD.ORG  Thu Apr 22 01:00:20 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C917A16A4D0
	for <freebsd-security@freebsd.org>;
	Thu, 22 Apr 2004 01:00:20 -0700 (PDT)
Received: from Neo-Vortex.Ath.Cx (203-173-23-17.dyn.iinet.net.au
	[203.173.23.17])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B5EA843D4C
	for <freebsd-security@freebsd.org>;
	Thu, 22 Apr 2004 01:00:19 -0700 (PDT)
	(envelope-from root@Neo-Vortex.Ath.Cx)
Received: from localhost.Neo-Vortex.got-root.cc
	(Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1])
	by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i3M80GmR016739
	for <freebsd-security@freebsd.org>;
	Thu, 22 Apr 2004 18:00:18 +1000 (EST)
	(envelope-from root@Neo-Vortex.Ath.Cx)
Date: Thu, 22 Apr 2004 18:00:16 +1000 (EST)
From: Neo-Vortex <root@Neo-Vortex.Ath.Cx>
To: freebsd-security@freebsd.org
In-Reply-To: <6.0.3.0.0.20040421132605.0901bb40@209.112.4.2>
Message-ID: <20040422175239.E16696@Neo-Vortex.Ath.Cx>
References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2>
	<xzp65buh5fa.fsf@dwp.des.no><200404201332.40827.dr@kyx.net>
	<6.0.3.0.0.20040421121715.04547510@209.112.4.2>
	<6.0.3.0.0.20040421132605.0901bb40@209.112.4.2>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: Other possible protection against RST/SYN attacks
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2004 08:00:20 -0000

Heres my view on this hole thing and a solution to it:

Take a step back from the problem, how is it caused? Spoofing of packets.
Numerous vulnerabilities come from spoofed packets, and no doubt there
will be more to come.

If the ability to spoof packets on the internet was stopped, it would be
much easier to fight such things, because they would not be possible.

How to stop the spoofing? get ISPs to allow their customers to only send
IP packets with the src address the same as their allocated ip(s) and drop
the rest.

If they all took the time to impliment this, they would not have to worry
so much about patches later on because the probability of the packets
being spoofed becomes so low.

This could also be implimented on a higher level too (Asin the higher
level ISPs doing similiar stuff)