Date: Thu, 22 Apr 2004 18:00:16 +1000 (EST) From: Neo-Vortex <root@Neo-Vortex.Ath.Cx> To: freebsd-security@freebsd.org Subject: Re: Other possible protection against RST/SYN attacks Message-ID: <20040422175239.E16696@Neo-Vortex.Ath.Cx> In-Reply-To: <6.0.3.0.0.20040421132605.0901bb40@209.112.4.2> References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <xzp65buh5fa.fsf@dwp.des.no><200404201332.40827.dr@kyx.net> <6.0.3.0.0.20040421121715.04547510@209.112.4.2> <6.0.3.0.0.20040421132605.0901bb40@209.112.4.2>
next in thread | previous in thread | raw e-mail | index | archive | help
Heres my view on this hole thing and a solution to it: Take a step back from the problem, how is it caused? Spoofing of packets. Numerous vulnerabilities come from spoofed packets, and no doubt there will be more to come. If the ability to spoof packets on the internet was stopped, it would be much easier to fight such things, because they would not be possible. How to stop the spoofing? get ISPs to allow their customers to only send IP packets with the src address the same as their allocated ip(s) and drop the rest. If they all took the time to impliment this, they would not have to worry so much about patches later on because the probability of the packets being spoofed becomes so low. This could also be implimented on a higher level too (Asin the higher level ISPs doing similiar stuff)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040422175239.E16696>